MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
SHA3-384 hash: 24692bdec71bee35d2dc8f5245d3ab13fc62b0ffb8a629c6d21f64f81157b5bd7b0b1a93538d42d828e2aead67afc039
SHA1 hash: 4c855f80076e357d35c7d60cd52d2c49abefc5ff
MD5 hash: ba2befa9c70c2b6d779c48a59cece3e5
humanhash: wyoming-pizza-shade-pizza
File name:yytr.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:474'112 bytes
First seen:2021-02-09 10:51:53 UTC
Last seen:2021-02-09 13:06:06 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 04b028ba19ad75496473f6f214390b31 (1 x Gozi)
ssdeep 6144:zQOWfcHYKeRatkAJwiClyM7CuCO8kdxZmY6icsFrrEQvOFDvXOcY5EpCDSqh3l:ifcHby4kAeiCp86xIYnXOFDOEpbqH
Threatray 1'239 similar samples on MalwareBazaar
TLSH BAA48F26F6D0D833D16326789E0BA7A5A839BF513D2C58462FE41D4C4F38B42767B293
Reporter JAMESWT_WT
Tags:Gozi Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602832
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350433 Sample: yytr.dll Startdate: 09/02/2021 Architecture: WINDOWS Score: 100 62 8.8.8.8.in-addr.arpa 2->62 64 1.0.0.127.in-addr.arpa 2->64 66 resolver1.opendns.com 2->66 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Found malware configuration 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 9 other signatures 2->86 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 72 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 112 Suspicious powershell command line found 9->112 18 powershell.exe 9->18         started        114 Writes to foreign memory regions 12->114 116 Allocates memory in foreign processes 12->116 118 Modifies the context of a thread in another process (thread injection) 12->118 120 4 other signatures 12->120 22 control.exe 12->22         started        24 rundll32.exe 12->24         started        26 iexplore.exe 41 14->26         started        29 iexplore.exe 30 16->29         started        31 iexplore.exe 16->31         started        33 iexplore.exe 16->33         started        process6 dnsIp7 54 C:\Users\user\AppData\...\qxfma03s.cmdline, UTF-8 18->54 dropped 56 C:\Users\user\AppData\Local\...\maejgtwh.0.cs, UTF-8 18->56 dropped 88 Injects code into the Windows Explorer (explorer.exe) 18->88 90 Writes to foreign memory regions 18->90 92 Modifies the context of a thread in another process (thread injection) 18->92 94 Compiles code for process injection (via .Net compiler) 18->94 35 explorer.exe 18->35 injected 39 csc.exe 18->39         started        42 csc.exe 18->42         started        44 conhost.exe 18->44         started        96 Changes memory attributes in foreign processes to executable or writable 22->96 98 Maps a DLL or memory area into another process 22->98 100 Creates a thread in another existing process (thread injection) 22->100 102 Contains functionality to detect sleep reduction / modifications 24->102 46 WerFault.exe 23 9 24->46         started        72 assets.onestore.ms 26->72 74 consentdeliveryfd.azurefd.net 26->74 76 ajax.aspnetcdn.com 26->76 78 pronpepsipirpyamvioerd.com 80.208.230.180, 49784, 49785, 49786 RACKRAYUABRakrejusLT Lithuania 29->78 file8 signatures9 process10 dnsIp11 68 eorctconthoelrrpentshfex.com 45.67.231.135, 443 SERVERIUS-ASNL Moldova Republic of 35->68 70 mozilla.cloudflare-dns.com 104.16.249.249, 443, 49794, 49795 CLOUDFLARENETUS United States 35->70 104 Tries to steal Mail credentials (via file access) 35->104 106 Changes memory attributes in foreign processes to executable or writable 35->106 108 Tries to harvest and steal browser information (history, passwords, etc) 35->108 110 6 other signatures 35->110 48 RuntimeBroker.exe 35->48 injected 58 C:\Users\user\AppData\Local\...\qxfma03s.dll, PE32 39->58 dropped 50 cvtres.exe 39->50         started        60 C:\Users\user\AppData\Local\...\maejgtwh.dll, PE32 42->60 dropped 52 cvtres.exe 42->52         started        file12 signatures13 process14
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 02:24:00 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
Gozi
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
2b8c7b7112e8070d01b2f977c360772e05704fff1838bf124780b9c8b699f337
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
Gozi
60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535
Gozi
61774f16549fb39d6d28ea208634bb106294bb2e31e6847d804f74a08a4bc0e2
Gozi
63a8687b9f3d1ef090cbd4f3c78edb9ff645ead16c5eacb05debf14e418596f4
Gozi
b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
Gozi
+ 1'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210209-1l56zsre2n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
ca5acd0ada19d8c60b44f52794752934636819e53fa0a3773113dd7864407b55
MD5 hash:
249b3726f70929d64eb257a8ce5138e1
SHA1 hash:
bf84e3d26ff227eeee1305b60f676457af8ba3e4
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/08393dfa-89af-4883-b845-23f8725b3062/
SH256 hash:
9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
MD5 hash:
ba2befa9c70c2b6d779c48a59cece3e5
SHA1 hash:
4c855f80076e357d35c7d60cd52d2c49abefc5ff
Link:
https://www.unpac.me/results/08393dfa-89af-4883-b845-23f8725b3062/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/996969/
  
Delivery method
Distributed via web download

Comments