MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
SHA3-384 hash: 0273e90d8b9f4a64d6e8ba0b18f6ce4ef61482a78e7b95ba11c43fa9d591fd7ea8ab16577d6dff6ae8b35912e44e095a
SHA1 hash: 4ed0d6adfda444b03f2660c5070cb2ddbc6bf793
MD5 hash: 889b7bffec04add185815d1b58d7c979
humanhash: sierra-emma-iowa-fourteen
File name:readme.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:420'864 bytes
First seen:2022-03-18 07:49:52 UTC
Last seen:2022-03-18 10:21:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9ddb3bbcd99543c365ed933ba49f71ae (2 x Gozi)
ssdeep 6144:dxfsNksMFgVp68Rlz43Ku+lzgktf1VeSboRBVMMRddcTFCIKT911CGl:vsasMaVAmBzLtffKRAwddIFDns
Threatray 535 similar samples on MalwareBazaar
TLSH T107949E22F2D18837C173263C8D5B5678A8397E503D295C4E2BE81E4C5F397813B792AB
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:agenziaentrate dll exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252285/
Detection(s):
SecuriteInfo.com.Fareit-FDGG889B7BFFEC04.15386.930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/623439b0b94fb38cb4a0e80f/reports/45cf3cfa-408b-4bd9-ae5f-f5dd58c081fe/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee6006e4-d865-4a29-ae72-db35430c71c8
Result
Threat name:
Ursnif CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959292
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591773 Sample: readme.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 6 other signatures 2->56 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 50 2->12         started        14 iexplore.exe 1 50 2->14         started        16 2 other processes 2->16 process3 dnsIp4 46 premiumlists.ru 8->46 48 linkspremium.ru 8->48 58 Found evasive API chain (may stop execution after checking system information) 8->58 60 Found API chain indicative of debugger detection 8->60 62 Writes or reads registry keys via WMI 8->62 64 2 other signatures 8->64 18 cmd.exe 1 8->18         started        20 iexplore.exe 32 12->20         started        23 iexplore.exe 32 14->23         started        25 iexplore.exe 31 16->25         started        27 iexplore.exe 16->27         started        signatures5 process6 dnsIp7 29 rundll32.exe 18->29         started        34 premiumlists.ru 45.128.184.132, 49799, 49800, 49823 MGNHOST-ASRU Russian Federation 20->34 36 127.0.0.1 unknown unknown 20->36 38 31.41.46.120, 49814, 49815, 80 ASRELINKRU Russian Federation 23->38 40 sistemliner.top 23->40 42 linkspremium.ru 62.173.149.135, 49781, 49782, 49783 SPACENET-ASInternetServiceProviderRU Russian Federation 25->42 44 sistemliner.top 25->44 process8 signatures9 66 Found evasive API chain (may stop execution after checking system information) 29->66 68 Found stalling execution ending in API Sleep call 29->68 70 Found API chain indicative of debugger detection 29->70 72 Contains functionality to detect sleep reduction / modifications 29->72 32 WerFault.exe 23 9 29->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 07:50:12 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
Gozi
+ 525 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7625 banker trojan
Link:
https://tria.ge/reports/220318-jpac9sghbr/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Gozi_JJ_loader
Gozi_JJ_loader_0
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
sistemliner.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
6fb42a57c8dcc56f467290ab3754b512d0074fd1445284b3998b7161372cf4a0
MD5 hash:
a023cde5343b81586aea9ed8e8b62f79
SHA1 hash:
c883826d569b2bdd5e71f3fc39b15a183381464a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/177fd3d3-e0ba-4ca1-a170-2920d4a15069/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
ab2fad795e531fbfc0c3ebef645522fdc7fa058d905634e5512987348ec79783
MD5 hash:
a62dfacb00cc2b502154e3b77e35dd6c
SHA1 hash:
c5482a53d940c22af20bb475364d8e4bce187b81
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/177fd3d3-e0ba-4ca1-a170-2920d4a15069/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
MD5 hash:
889b7bffec04add185815d1b58d7c979
SHA1 hash:
4ed0d6adfda444b03f2660c5070cb2ddbc6bf793
Link:
https://www.unpac.me/results/177fd3d3-e0ba-4ca1-a170-2920d4a15069/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9c815841be71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/252285/
  
URLhaus
https://urlhaus.abuse.ch/url/2101929/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2103348/

Comments