MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
SHA3-384 hash:	632222e4e33bd1911dda4ce759b802725c62fc77bdf6dcecf228da9e39dbe486e7db4d1f53fbe921e947655dacb44846
SHA1 hash:	9c813cf77dcb9d9ae4cb3304309f33a8762399d6
MD5 hash:	ee3942b590be4220fcec1cfff0f3487f
humanhash:	victor-earth-mountain-carpet
File name:	2803.gif.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	368'615 bytes
First seen:	2021-03-29 20:06:46 UTC
Last seen:	2021-03-29 20:58:40 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	77af713b1f2916ea138f9bb7258cf849 (5 x Gozi)
ssdeep	1536:bepG5ACCny8GenidAHcz92ZIx9FxIl+YkSVoZlP1usBVEwnoxJashnXcX:36lGeExx9FmSSkfBt8
TLSH	AC74AE053BB0C5D9D2A521B44ECD8EA4E924FCAA1F20D21372D975DCBDF9F89262D381
Reporter	info_sec_ca
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ursnif

Link:

https://www.capesandbox.com/analysis/127810/

Detection(s):

SecuriteInfo.com.Trojan.Gozi.796.17496.4264.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/271d989d-bdbe-4088-abb5-c5d60e707c1e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/657575

Signature

Machine Learning detection for sample

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2021-03-29 20:07:05 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

5/5

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:5566 banker trojan

Link:

https://tria.ge/reports/210329-kb9kld239e/

Behaviour

Suspicious use of WriteProcessMemory

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

bing.com
update4.microsoft.com
fdjjasdoeoriefjd.live
paralikulat.website

Unpacked files

SH256 hash:

cb4475124262bc50962a10e63683b3113ae4ef8008110c995c36edc04460fe41

MD5 hash:

d5e5806a67c22dc1ff4432ac7f74afe9

SHA1 hash:

b8f94f843c875941987edee13173baeda35177ac

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/113a26f5-35a5-49a8-b4db-88b7a148df83/

Parent samples :

632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887

SH256 hash:

220f635b3a747e133170eb0dbf2c63c91646b460f4315498a31a176498ca215b

MD5 hash:

4df4258bb725b92568e441970439dff5

SHA1 hash:

8673bd2ab0eb5e60a787c0b75c5b6baeda4cec91

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/113a26f5-35a5-49a8-b4db-88b7a148df83/

Parent samples :

5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887

SH256 hash:

a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c

MD5 hash:

ee3942b590be4220fcec1cfff0f3487f

SHA1 hash:

9c813cf77dcb9d9ae4cb3304309f33a8762399d6

Link:

https://www.unpac.me/results/113a26f5-35a5-49a8-b4db-88b7a148df83/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ursnif3 Create hunting rule
Author:	kevoreilly
Description:	Ursnif Payload

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127810/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample