MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d
SHA3-384 hash:	91ba963a4680b917e7e5d7f43bdf95e9714ff0e1488d08024502efd919c5c05d096a45b2aa902a6ddfd9f2467da3a749
SHA1 hash:	df6762799d3f72f42f999660ec08be98bc74299d
MD5 hash:	9329eb1c24ac9dda030bcab6a3bfd421
humanhash:	arizona-magnesium-angel-beer
File name:	7903c6c6b06c652bdcf5dad6126258ba
Download:	download sample
Signature	Gozi Create hunting rule
File size:	406'016 bytes
First seen:	2020-11-17 12:47:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a47bf8d6ef13b3fef9e73edef2c18705 (4 x Gozi)
ssdeep	6144:dVsw+BGSKlWkpLc95mEOHV6cj/8GdKSy/bmVR2zuGnhhDiWUHBDs:dVvcClZg5W16cj/8tkMzxnh5+O
Threatray	5 similar samples on MalwareBazaar
TLSH	7584AC7367D717F2E6B108374D15C281EA76A2A634E218D9E7F31C82354F752FAA2390
Reporter	seifreed
Tags:	Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Ursnif-9792476-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Sending a UDP request

Launching a process

DNS request

Sending an HTTP GET request

Creating a window

Changing a file

Setting browser functions hooks

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Unauthorized injection to a browser process

Deleting of the original file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-11-17 12:51:41 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uopqrdjbo2zfiudazptvafmkkm4iwegjvo5sowa6hs32xwp5gq6q._file

Verdict:

malicious

Gozi

77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de

Gozi

93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4

Gozi

b0d9f78957650a0bc42b0bf646e3d158f713de64ee5e6ab395cf777e93a7a240

Gozi

d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba

Gozi

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201117-qd2dj4nx22/

Unpacked files

SH256 hash:

a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d

MD5 hash:

9329eb1c24ac9dda030bcab6a3bfd421

SHA1 hash:

df6762799d3f72f42f999660ec08be98bc74299d

Link:

https://www.unpac.me/results/570bc47c-9541-4f67-8eec-4084a54c436d/

SH256 hash:

a9a8a5396997fcf20e2002f51b63542e8db2683270caf82163a401a8aff4ead2

MD5 hash:

7135e9bb1933a6e91423d07e30de0e13

SHA1 hash:

4f104b3f6dedc9ddd56ab260132500920f1be155

Detections:

win_dreambot_a0

win_isfb_a4

Link:

https://www.unpac.me/results/570bc47c-9541-4f67-8eec-4084a54c436d/

SH256 hash:

823995a26afbe5cd3bb36065ef99fa15e8f430b7b2f48e8359e8f4145a1d03ac

MD5 hash:

37a9edb18b806c34e5b79a023fe60ecd

SHA1 hash:

aaf3ce3076de7fce5714fdd3d5ffc0890e46b381

Detections:

win_isfb_a4

win_isfb_auto

Link:

https://www.unpac.me/results/570bc47c-9541-4f67-8eec-4084a54c436d/

Parent samples :

77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Ursnif Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:	internal research

Rule name:	Ursnif3 Create hunting rule
Author:	kevoreilly
Description:	Ursnif Payload

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample