MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SHA3-384 hash: c668405511790d271aafa24de8941fd8d31a5a7e673ea508f2eba7b2c88bb775750a63abcd79c3bbf3bb8924316c0200
SHA1 hash: 1b002110ca216433834fac4ddcbf5ec32e86f59c
MD5 hash: beed23c8b32850c8f45228c22c8b036d
humanhash: fillet-snake-cola-table
File name:beed23c8b32850c8f45228c22c8b036d.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:121'181 bytes
First seen:2021-05-07 18:37:50 UTC
Last seen:2021-05-07 19:01:06 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3f728412058b62c418b1091768b74d7b (8 x Gozi)
ssdeep 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
Threatray 258 similar samples on MalwareBazaar
TLSH 29C3BE0CF7E950C1C5DA3AB750B19E287228EE128DB4243616F62E797FF71A37C29485
Reporter abuse_ch
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Crypterx-9850539-0
Create hunting rule

SecuriteInfo.com.Trojan.Gozi.796.15659.27384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8656b33-202a-4c14-98ef-0adf769cc2bd
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/717489
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 407674 Sample: t6ygT2aU8p.dll Startdate: 08/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 18:38:17 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Gozi
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
Gozi
85d535a2051a60c54a1f2f43ce8854f51a784e87a7a9a5a337567fe3296d81a6
Gozi
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
Gozi
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
Gozi
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
Gozi
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Gozi
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Gozi
+ 248 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210507-5wz3ae3rax/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
026a934ae5a96fbb53fa1b81f69d5441d87c039951fb17639773bfb7f0a063ac
MD5 hash:
b8e4c4663cc6a6b33e7fe81e86b85e6d
SHA1 hash:
3a182a1d590af2cf073491c7c748ee16853e525f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f1f7859b-b115-448b-ba84-6cdc14bd1dda/
Parent samples :
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SH256 hash:
9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
MD5 hash:
beed23c8b32850c8f45228c22c8b036d
SHA1 hash:
1b002110ca216433834fac4ddcbf5ec32e86f59c
Link:
https://www.unpac.me/results/f1f7859b-b115-448b-ba84-6cdc14bd1dda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1100632/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 19:01:08 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data