MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a62876ad5b23476a42760a93bd502ce8d91d86a1fcbfa0f9edc673f4243a08f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a62876ad5b23476a42760a93bd502ce8d91d86a1fcbfa0f9edc673f4243a08f3
SHA3-384 hash: 4a0b2ec69d1562474bc04c36e813c713373a5781a63d1dd06a7e5a3033e8158b93e408297f15789ab444c857ea059bd8
SHA1 hash: 0fac819049810a6707ce2269dd9cee6347b8ec7b
MD5 hash: 9f07670d0192eb4c2fa2dbafb6b3dddf
humanhash: ack-mars-wolfram-floor
File name:2ff0174.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:48'780 bytes
First seen:2021-06-09 11:49:22 UTC
Last seen:2021-06-09 12:36:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6e9163c62b29a1ccabed40ce8621a95a (7 x Gozi)
ssdeep 768:ufl+nrGv4FYhg2VvNBNxilnq/zXX7NO2Qa6V6nHtpbWG3tC683xLp3YhL+yxM:ut+nlFBm3/zXrNfQlKZ9tC6sMtx
TLSH BC23F2116F405837F987A4BF0276371E954B9314033B58CBD3728AC8AEEE9DA6C79903
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165589/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.808.18520.17949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3dc211f2-2560-4660-b256-2e975cb29d9c
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/799467
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 431863 Sample: 2ff0174.dll Startdate: 09/06/2021 Architecture: WINDOWS Score: 80 32 vhfkffjddyjunekugjtr.xyz 2->32 44 Found malware configuration 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Yara detected  Ursnif 2->48 50 2 other signatures 2->50 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 52 Writes or reads registry keys via WMI 8->52 54 Writes registry values via WMI 8->54 11 iexplore.exe 2 106 8->11         started        13 regsvr32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        process6 signatures7 20 iexplore.exe 11->20         started        23 iexplore.exe 11->23         started        25 iexplore.exe 11->25         started        30 16 other processes 11->30 58 Writes or reads registry keys via WMI 13->58 60 Writes registry values via WMI 13->60 27 rundll32.exe 16->27         started        process8 dnsIp9 34 vhfkffjddyjunekugjtr.xyz 82.118.22.204, 49833, 49834, 49835 GREENFLOID-ASUA Ukraine 20->34 36 192.168.2.1 unknown unknown 20->36 56 Writes registry values via WMI 27->56 38 qtrweyuiopolkhgbjune.xyz 82.118.22.247, 49848, 49849, 49850 GREENFLOID-ASUA Ukraine 30->38 40 wa.mail.com 82.165.229.16, 443, 49758, 49759 ONEANDONE-ASBrauerstrasse48DE Germany 30->40 42 25 other IPs or domains 30->42 signatures10
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a62876ad5b23476a42760a93bd502ce8d91d86a1fcbfa0f9edc673f4243a08f3/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2021-06-09 11:50:13 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyuhnlk3endwuqtwbkj32ubm5dmr3bvb7s72b6pnyzz7ijb2bdzq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210609-xhyx3l99cj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
dc1833694e2a10cb207bf392752b5ab0cb8aa30c57e1846149a56fa2e9e8caf3
MD5 hash:
4642f09bba94e4bb773275726d1d3b26
SHA1 hash:
331847e68c782cd8765ef5352e27a242b4756291
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a08a07d-7b6a-41ce-ae89-366795bd48b1/
SH256 hash:
a62876ad5b23476a42760a93bd502ce8d91d86a1fcbfa0f9edc673f4243a08f3
MD5 hash:
9f07670d0192eb4c2fa2dbafb6b3dddf
SHA1 hash:
0fac819049810a6707ce2269dd9cee6347b8ec7b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a08a07d-7b6a-41ce-ae89-366795bd48b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a62876ad5b23476a42760a93bd502ce8d91d86a1fcbfa0f9edc673f4243a08f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165589/

Comments