MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
SHA3-384 hash: c709d0773bb800595b01ca3dc7a0e7d888914519144daf18bc1add64e4149df1ef8275696d4c6008f98555a3df181d9a
SHA1 hash: 63bf115490eae7045447b740c4682bc10d710e94
MD5 hash: c6f9463bba628a9873691bd1f9f94645
humanhash: football-saturn-four-saturn
File name:image bmp.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:433'976 bytes
First seen:2022-02-23 05:31:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b28ff5aaedf54815b1c73bd248288642 (1 x Gozi)
ssdeep 12288:EyF2GQcZzyF2GQcZgjnNZdkyF2GQcZkyF2GQcZrhDAcz:EyF6WzyF6WwnNZdkyF6WkyF6Wr7
Threatray 34 similar samples on MalwareBazaar
TLSH T1D194D0B330EDB17FF29BA637FD04E5760800951AB17991E3B6CA0ADDD4B6DA74128243
Reporter JAMESWT_WT
Tags:dll exe Gozi inps isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243537/
Detection(s):
SecuriteInfo.com.ML.PE-A.30466.11648.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6215c6d5a2660f3bb92c8d25/reports/df59807b-41f7-4bc6-a78c-c3ad2ac1bf03/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f6d7ab4-07eb-4bad-846d-96801e8d6ea8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944470
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Remote Thread Created
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576947 Sample: image bmp.dll Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 4 other signatures 2->68 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2 64 2->11         started        13 iexplore.exe 1 53 2->13         started        15 2 other processes 2->15 process3 dnsIp4 52 premiumlists.ru 7->52 74 Found evasive API chain (may stop execution after checking system information) 7->74 76 Found API chain indicative of debugger detection 7->76 78 Writes or reads registry keys via WMI 7->78 80 Writes registry values via WMI 7->80 17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        21 regsvr32.exe 7->21         started        54 192.168.2.1 unknown unknown 11->54 23 iexplore.exe 31 11->23         started        26 iexplore.exe 32 11->26         started        28 iexplore.exe 32 13->28         started        30 iexplore.exe 32 13->30         started        32 iexplore.exe 15->32         started        34 iexplore.exe 15->34         started        signatures5 82 System process connects to network (likely due to code injection or exploit) 52->82 process6 dnsIp7 36 rundll32.exe 6 17->36         started        40 iexplore.exe 23->40         started        42 iexplore.exe 23->42         started        56 atomlinks.top 62.173.149.135, 49750, 49751, 49752 SPACENET-ASInternetServiceProviderRU Russian Federation 26->56 58 premiumlists.ru 45.128.184.132, 80 MGNHOST-ASRU Russian Federation 28->58 60 linkspremium.ru 31.41.44.3, 80 ASRELINKRU Russian Federation 32->60 process8 dnsIp9 44 premiumlists.ru 36->44 70 System process connects to network (likely due to code injection or exploit) 36->70 72 Writes registry values via WMI 36->72 46 atomlinks.top 40->46 48 31.41.46.120, 49839, 49840, 49841 ASRELINKRU Russian Federation 42->48 50 atomlinks.top 42->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 05:32:30 UTC
File Type:
PE (Dll)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Gozi
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
+ 24 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7617 banker suricata trojan
Link:
https://tria.ge/reports/220223-f8axcsadfn/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
atomlinks.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
e0d1b5b5d8b77a5868fff21a85366d732345ca37c9f6fe6e96c9b4fbd92fe579
MD5 hash:
99c3d2a630f117bf42973d0d0516e967
SHA1 hash:
ff4abbce71fd70a2791f1ac96ab94aaa11eb5382
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d8b7e191-55d1-4e4e-a918-da816ca9fe68/
Parent samples :
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
9982fdf2c1b5b3c8e15cffe317da900d764d65d7d09cf98b0e52cfcc966898c3
SH256 hash:
16057acd8a0dbf3ef560588781a388048fa89fd1b027f9d925286fd3f92d6f05
MD5 hash:
c3e7b109e08101f52525d9e90f797c52
SHA1 hash:
0dd271130dcd21ddb4fe6871870e2ebe81539820
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d8b7e191-55d1-4e4e-a918-da816ca9fe68/
Parent samples :
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
9982fdf2c1b5b3c8e15cffe317da900d764d65d7d09cf98b0e52cfcc966898c3
SH256 hash:
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
MD5 hash:
c6f9463bba628a9873691bd1f9f94645
SHA1 hash:
63bf115490eae7045447b740c4682bc10d710e94
Link:
https://www.unpac.me/results/d8b7e191-55d1-4e4e-a918-da816ca9fe68/
Malware family:
Ursnif.Dreambot.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9f67885dc039/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2054832/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243537/

Comments