MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
SHA3-384 hash: 85ee67669305681569a3d26bd2aaf866f9d827db2ac693844fe91d1d30852ef6b99b1763008a262f1ce1a0d971e4a3ac
SHA1 hash: 19b5c95728b212a75adf3e4d2932f411f6c68f9d
MD5 hash: ed60097b0bca7f9c4649ba5d5a088fc9
humanhash: three-robin-east-spring
File name:7.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:557'056 bytes
First seen:2021-08-23 17:54:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 12994b2554048ef1e6f7b4dd1e874109 (3 x Gozi)
ssdeep 12288:rqru80paIRPWxvFzhzFIkofIcYrIAfDE0cb1Yklllll/lllll7K10QUNI0H:rs0IIFWx9zlFIkofDY8kcbHlllll/llH
Threatray 436 similar samples on MalwareBazaar
TLSH T1A6C49D12B791E024E9B952788F75D9D8AA2D38215B3850CF39E13B9F0E396E39D35343
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'798
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181581/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.16725.25144.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c74815b2-a7ff-4ac3-9628-60e5da064855
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/837736
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470168 Sample: 7.dll Startdate: 23/08/2021 Architecture: WINDOWS Score: 72 20 clientconfig.passport.net 2->20 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected  Ursnif 2->32 8 loaddll32.exe 13 2->8         started        signatures3 process4 dnsIp5 22 xaaorunokee.site 8->22 24 outlook.com 40.97.153.146, 443, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->24 26 6 other IPs or domains 8->26 34 Writes or reads registry keys via WMI 8->34 36 Writes registry values via WMI 8->36 12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        signatures6 process7 process8 18 rundll32.exe 12->18         started       
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 17:53:23 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
Gozi
181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
Gozi
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
Gozi
f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Gozi
fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Gozi
+ 426 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210823-1xbf85xvwn/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
xaaorunokee.site
taaorunokee.site
Unpacked files
SH256 hash:
cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
MD5 hash:
6eb6ef0ed1b8b345412f9545571042e2
SHA1 hash:
b9a1945c04610ae72265c5da6ccfe29ca1a4c52e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/247191c0-6b2e-44ff-a9f0-4e7a4d0230fc/
Parent samples :
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
SH256 hash:
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
MD5 hash:
ed60097b0bca7f9c4649ba5d5a088fc9
SHA1 hash:
19b5c95728b212a75adf3e4d2932f411f6c68f9d
Link:
https://www.unpac.me/results/247191c0-6b2e-44ff-a9f0-4e7a4d0230fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181581/

Comments