MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
SHA3-384 hash: a296be48ee022cebba0801431c3e453cffa0cf09e63e3af17f823f46245d7afa513613ba6600085e08fbca78eb92bf65
SHA1 hash: 01b0ece80907f2d9e500ada1cd2d555b782dd3a2
MD5 hash: b0f3a46adf98efb3a9ac7cead9b4fc5a
humanhash: utah-mike-pip-lima
File name:9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Download: download sample
Signature Gozi
Create hunting rule
File size:135'192 bytes
First seen:2020-11-29 15:48:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash cd7f3d55c61700646f64e39b87a7f779 (1 x Gozi)
ssdeep 3072:6YcS7/elK+/8OclqVHCWPR02j7UFMuhSNVqTZFnT0urv:z7C8uHCWPRp71uEOrnourv
Threatray 617 similar samples on MalwareBazaar
TLSH 37D3E1147D824907CAFB48B5B2FF8E0D5E726F4113612893537B5DFEAE30285A52B232
Reporter JAMESWT_WT
Tags:Gozi NONO spol. s r.o. signed

Code Signing Certificate

Organisation:NONO spol. s r.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 20 00:00:00 2020 GMT
Valid to:Oct 20 23:59:59 2021 GMT
Serial number: B4F42E2C153C904FDA64C957ED7E1028
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: AD6D469A1AC6F92237EA79782EA86F259CAFE774C554BAB9F193DFB08F6F091A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105971/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/550501
Signature
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324366 Sample: xG4rjYxzCT Startdate: 29/11/2020 Architecture: WINDOWS Score: 64 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected  Ursnif 2->34 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 72 2->9         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        process3 signatures4 36 Writes or reads registry keys via WMI 6->36 38 Writes registry values via WMI 6->38 15 rundll32.exe 6->15         started        17 rundll32.exe 6->17         started        19 iexplore.exe 36 9->19         started        22 conhost.exe 11->22         started        24 timeout.exe 1 11->24         started        26 conhost.exe 13->26         started        28 timeout.exe 1 13->28         started        process5 dnsIp6 30 njoopsday.website 45.67.229.97, 443, 49724, 49725 ALEXHOSTMD Moldova Republic of 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 11:57:29 UTC
File Type:
PE (Dll)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
42433b509118c66781f3fbc95e1ea506d71260171c9462a085ff515619f1ca81
Gozi
66920e0efd8980b63e704fc26b25fec19efbb3cdc3d281b91bff05806b95a654
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
Gozi
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
Gozi
94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
Gozi
adef1e98019e2b2fcac75f287caf986ab16153cd40e45b803db0c2a3dd122559
Gozi
bc6a7b0e544aade9fc2a48c08ad4aaebd3743396d120f86d9d81b3c8757d9888
Gozi
be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Gozi
cc20b331f9b2b1ab79cf8e3570ee00d39a22c2f6029097d3c78c4e8903a391b1
Gozi
+ 607 additional samples on MalwareBazaar
Result
Malware family:
ursnif_rm3
Create hunting rule
Score:
  10/10
Tags:
family:ursnif_rm3 banker trojan
Link:
https://tria.ge/reports/201129-sp88h75zyn/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
Ursnif RM3
Unpacked files
SH256 hash:
9250da8fb1142fe5c5d0f3e4c688f05e2573df2e7ceb234aa215330a0e5b4aea
MD5 hash:
713851886700cbc1814b427fe0aa5c65
SHA1 hash:
a9b977a4f09631cedeee519219c69518578b3126
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f02290f-7bc4-49df-8180-961aa60b6731/
SH256 hash:
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
MD5 hash:
b0f3a46adf98efb3a9ac7cead9b4fc5a
SHA1 hash:
01b0ece80907f2d9e500ada1cd2d555b782dd3a2
Link:
https://www.unpac.me/results/6f02290f-7bc4-49df-8180-961aa60b6731/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105971/

Comments