MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971
SHA3-384 hash: f9fcee3010a9661afde021494a2c2aca7dfe95ecd2a63a0374c79ddbfc93ba9c1e6adbfad5f3c4425500982622990e45
SHA1 hash: bf1caf2073ded5474244d9811f953c30faadbc5f
MD5 hash: bdbfd5eb20f9160c7b84097fb823037a
humanhash: tango-island-music-virginia
File name:239909_749.js
Download: download sample
Signature Gozi
Create hunting rule
File size:5'017 bytes
First seen:2023-06-08 21:19:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:5sBeprD12YkUUGsgZislNRGBhWp5quaajeQF+fjsfK0kS6RdX+Bw:SBOD1mUUGsBslTGBhU5q3aCQFGsfK0k5
TLSH T15EA1E0DB2217F8D9402A8F7289CC564B3014E88BCDA79252FA82DF74DC5CC9D468DE69
Reporter pr0xylife
Tags:555756 Gozi isfb js

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
IE IE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29506.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
cmd evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/648246039d002023f87269ef/reports/5be17515-4618-4d09-83f3-1ccfdea62617/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971
Result
Verdict:
UNKNOWN
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251554
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Potential obfuscated javascript found
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Set custom UserAgent and download file via Powershell
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to download and execute files (via powershell)
Tries to steal Mail credentials (via file / registry access)
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Ursnif
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884570 Sample: 239909_749.js Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 6 other signatures 2->85 10 wscript.exe 1 2->10         started        13 mshta.exe 19 2->13         started        process3 signatures4 123 JScript performs obfuscated calls to suspicious functions 10->123 125 Wscript starts Powershell (via cmd or directly) 10->125 127 Obfuscated command line found 10->127 15 cmd.exe 1 10->15         started        18 powershell.exe 1 25 13->18         started        process5 file6 129 Suspicious powershell command line found 15->129 131 Wscript starts Powershell (via cmd or directly) 15->131 133 Tries to download and execute files (via powershell) 15->133 139 2 other signatures 15->139 21 1.exe 1 15->21         started        24 powershell.exe 14 26 15->24         started        28 conhost.exe 15->28         started        63 C:\Users\user\AppData\...\kuvyhswf.cmdline, Unicode 18->63 dropped 135 Modifies the context of a thread in another process (thread injection) 18->135 137 Creates a thread in another existing process (thread injection) 18->137 30 explorer.exe 18->30 injected 32 csc.exe 3 18->32         started        34 csc.exe 3 18->34         started        36 conhost.exe 18->36         started        signatures7 process8 dnsIp9 87 Antivirus detection for dropped file 21->87 89 Writes to foreign memory regions 21->89 91 Allocates memory in foreign processes 21->91 93 Injects a PE file into a foreign processes 21->93 38 RegSvcs.exe 6 21->38         started        42 RegSvcs.exe 21->42         started        75 fuelrescue.ie 185.2.67.20, 443, 49692 BLACKNIGHT-ASIE Ireland 24->75 65 C:\Users\user\AppData\Local\Temp\1.exe, PE32 24->65 dropped 95 Powershell drops PE file 24->95 77 loogin.biinng.com 30->77 97 System process connects to network (likely due to code injection or exploit) 30->97 99 Tries to steal Mail credentials (via file / registry access) 30->99 101 Changes memory attributes in foreign processes to executable or writable 30->101 103 4 other signatures 30->103 44 cmd.exe 30->44         started        46 RuntimeBroker.exe 30->46 injected 48 RuntimeBroker.exe 30->48 injected 50 RuntimeBroker.exe 30->50 injected 67 C:\Users\user\AppData\Local\...\kuvyhswf.dll, PE32 32->67 dropped 52 cvtres.exe 1 32->52         started        69 C:\Users\user\AppData\Local\...\blqjpu0q.dll, PE32 34->69 dropped 54 cvtres.exe 34->54         started        file10 signatures11 process12 dnsIp13 71 78.153.130.9, 49696, 80 INTERLAN-ASRU Russian Federation 38->71 73 logonn.biinng.com 38->73 105 Writes to foreign memory regions 38->105 107 Allocates memory in foreign processes 38->107 109 Modifies the context of a thread in another process (thread injection) 38->109 111 Maps a DLL or memory area into another process 38->111 56 control.exe 38->56         started        113 Writes registry values via WMI 42->113 59 conhost.exe 44->59         started        signatures14 process15 signatures16 115 Changes memory attributes in foreign processes to executable or writable 56->115 117 Injects code into the Windows Explorer (explorer.exe) 56->117 119 Writes to foreign memory regions 56->119 121 4 other signatures 56->121 61 rundll32.exe 56->61         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vde4hneb5h2fhso44wjzu7umnqra5o5n23frnj6xinwvl3iz3fyq._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:555756 banker isfb trojan
Link:
https://tria.ge/reports/230608-z6q1caab66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
http://logonn.biinng.com
http://78.153.130.9
http://llogiin.biinng.com
http://45.15.157.239
Dropper Extraction:
https://fuelrescue.ie/wp/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8c9c3b481e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments