MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
SHA3-384 hash: 43982e95841b5f14c2620700689e1908264dd0a87bcd741f5d6351c4560b9c8e17c76331c8813f711045b0fac72d8d96
SHA1 hash: 841dde1545bdfee1be219de7d905d3d2db8ca5bb
MD5 hash: 716649589f77b4c078b4fd89cfab2420
humanhash: quebec-winner-three-apart
File name:gg.gif.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:118'156 bytes
First seen:2021-04-06 07:56:06 UTC
Last seen:2021-04-06 07:56:06 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3f728412058b62c418b1091768b74d7b (8 x Gozi)
ssdeep 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
Threatray 215 similar samples on MalwareBazaar
TLSH F1B3BE0CF7E950C1C5DA3AB750B19E287228EE128DB4243616F62E797FF71A37C29485
Reporter JAMESWT_WT
Tags:dll GG Gozi ifsb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132599/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.796.19201.25163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6c456fb-4d0c-48b3-b0c3-a6c2ed96412e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/667270
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382563 Sample: gg.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 07:54:28 UTC
File Type:
PE (Dll)
AV detection:
19 of 48 (39.58%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Gozi
1abd2ae7b4600681751fcd1d401a6ad35fbdd3e231790be49ef7b61333358802
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Gozi
6e4568c87d8d2b5d6428ce46362b1ae29559047aafc275948cd4510573e460a8
Gozi
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
Gozi
7e0e394cd085d162aa83daad67f4f66e35981e5b696d0a1b140dbf6db437f2d8
Gozi
8328e3fd543f366d1625e37bf5b002b5d057b2d80aa2250326c174425886c1c0
Gozi
85d535a2051a60c54a1f2f43ce8854f51a784e87a7a9a5a337567fe3296d81a6
Gozi
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Gozi
+ 205 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210406-3l1nvart56/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
026a934ae5a96fbb53fa1b81f69d5441d87c039951fb17639773bfb7f0a063ac
MD5 hash:
b8e4c4663cc6a6b33e7fe81e86b85e6d
SHA1 hash:
3a182a1d590af2cf073491c7c748ee16853e525f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac74de48-92d6-4b12-a895-4f3aa7df494a/
Parent samples :
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SH256 hash:
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
MD5 hash:
716649589f77b4c078b4fd89cfab2420
SHA1 hash:
841dde1545bdfee1be219de7d905d3d2db8ca5bb
Link:
https://www.unpac.me/results/ac74de48-92d6-4b12-a895-4f3aa7df494a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.42
Link:
https://yomi.yoroi.company/submissions/9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132599/

Comments