MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
SHA3-384 hash: 2befd82691c6c4acc9cae837373794b2d5d8fe91412534332adddcf581ae12356e0b88ea950708c8ad6a5522bd4024f1
SHA1 hash: 46958a4143c337f8406b0c785d434c8892e902e8
MD5 hash: 0d68d238d713f63ff02be916ae633466
humanhash: lactose-mike-batman-uniform
File name:6101135878f66.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:556'032 bytes
First seen:2021-07-28 08:21:25 UTC
Last seen:2021-07-28 17:14:38 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 49c4814f9659cba3f787457752949e56 (2 x Gozi)
ssdeep 12288:KaM55j1f/QOwOSnV8Eh3doxeNZNN2lFzx3ycxXs4:Ka6z3E4INX03ycxc4
Threatray 415 similar samples on MalwareBazaar
TLSH T103C48B087659AC32D2E362320B15E651232D74742B2186CF77EC7E9F2FB81D32639796
Reporter JAMESWT_WT
Tags:dll enel EnelEnergia Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
658
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174594/
Detection(s):
SecuriteInfo.com.Program.Win32.Wacapew.Cml.1598.30445.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/464d5c41-c1bb-4c6d-be39-ce7c3756be22
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/822958
Signature
Found malware configuration
Machine Learning detection for sample
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455370 Sample: 6101135878f66.dll Startdate: 28/07/2021 Architecture: WINDOWS Score: 72 28 Found malware configuration 2->28 30 Yara detected  Ursnif 2->30 32 Machine Learning detection for sample 2->32 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 rundll32.exe 7->16         started        signatures5 36 System process connects to network (likely due to code injection or exploit) 9->36 38 Writes registry values via WMI 9->38 18 rundll32.exe 12 12->18         started        process6 dnsIp7 22 daskdjknefjkewfnkjwe.net 185.186.245.109, 443, 49774 WZCOM-US Netherlands 18->22 24 zaluoa.live 185.82.217.6, 443, 49764 ITL-BG Bulgaria 18->24 26 8 other IPs or domains 18->26 34 System process connects to network (likely due to code injection or exploit) 18->34 signatures8
Gathering data
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Gozi
6e4568c87d8d2b5d6428ce46362b1ae29559047aafc275948cd4510573e460a8
Gozi
8328e3fd543f366d1625e37bf5b002b5d057b2d80aa2250326c174425886c1c0
Gozi
aa56916f2b2343a71ffbb8e8e28350d2cdd54ece785712703de5a703d58bb4df
Gozi
+ 405 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210728-8lskcpfdj6/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
zaluoa.live
daskdjknefjkewfnkjwe.net
Unpacked files
SH256 hash:
f2554f915153f9bea113b9955de9038df77752c24dbe5cafcd8638d503465f77
MD5 hash:
fddf38312f055e7d75c7ada10ee8a625
SHA1 hash:
7771956e1bdea019eee3a3d9e9bbece9657adcaa
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb62af98-22f0-41b1-bdb4-2d6f7b89b5dd/
SH256 hash:
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
MD5 hash:
0d68d238d713f63ff02be916ae633466
SHA1 hash:
46958a4143c337f8406b0c785d434c8892e902e8
Link:
https://www.unpac.me/results/bb62af98-22f0-41b1-bdb4-2d6f7b89b5dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174594/

Comments