MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
SHA3-384 hash: bb9447a61a12035229973518bdd521aaa14784356f2de48495724a4f8c03ba6e5df975bfa02d070fe6416b89dbe0d809
SHA1 hash: 7f29e42f6d317d7b11ad164a672e91e4515b5bc0
MD5 hash: 58d9e2906f42336e9bee1137b4cf5839
humanhash: jupiter-one-sink-video
File name:signup.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:243'712 bytes
First seen:2021-03-16 05:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34df13d9f12a151ff03a5b61c12591c (1 x Gozi)
ssdeep 6144:tz3raG3DJCO3wVhIZhzG7WS7l8jE0DjSBj1:tDt4OtRZS7d
Threatray 3 similar samples on MalwareBazaar
TLSH CF341A18AA478979F79743FDC809C5AD4E2BDE748F5EB84237F83E9691334E91439802
Reporter JAMESWT_WT
Tags:dll gov2021 Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Downloads.zip
Verdict:
Malicious activity
Analysis date:
2021-03-16 05:23:52 UTC
Tags:
loader trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/46a3f940-9629-4ae5-b849-c08a7cdb35f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19579.18799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bde56141-e09b-42e6-b2ec-524e6b62b016
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/640307
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369127 Sample: signup.jpg.dll Startdate: 16/03/2021 Architecture: WINDOWS Score: 92 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected  Ursnif 2->42 44 3 other signatures 2->44 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 46 Writes or reads registry keys via WMI 10->46 48 Writes registry values via WMI 10->48 17 iexplore.exe 1 65 13->17         started        process6 process7 19 iexplore.exe 17->19         started        22 iexplore.exe 17->22         started        24 iexplore.exe 138 17->24         started        26 2 other processes 17->26 dnsIp8 28 ocsp.sca1b.amazontrust.com 143.204.15.29, 49748, 49749, 80 AMAZON-02US United States 19->28 30 143.204.15.47, 49750, 49751, 80 AMAZON-02US United States 22->30 32 geolocation.onetrust.com 104.20.185.68, 443, 49720, 49721 CLOUDFLARENETUS United States 24->32 34 www.msn.com 24->34 36 6 other IPs or domains 24->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf/
Verdict:
unknown
Similar samples:
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
Gozi
eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661
Gozi
ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7
Gozi
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7256 banker trojan
Link:
https://tria.ge/reports/210316-f8nmqkhghe/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
web.vortex.data.microsoft.com
ocsp.sca1b.amazontrust.com
statillioni.com
interstatos.com
Unpacked files
SH256 hash:
b07338dda3dbfc433458f15358a36fd7e0e1e783c4664b9209fb19466c40a460
MD5 hash:
0f6cad5d1ed653b9f0dcd8bfe1d3c1c6
SHA1 hash:
300099e4882834048fcd384636060f428f544381
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea587726-83bf-411b-87c0-c4e6be0af62a/
Parent samples :
a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
42edfcd68a1dd19bb276fc6b112351d7e367313322e6a83acc420d6122349e8f
SH256 hash:
a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
MD5 hash:
58d9e2906f42336e9bee1137b4cf5839
SHA1 hash:
7f29e42f6d317d7b11ad164a672e91e4515b5bc0
Link:
https://www.unpac.me/results/ea587726-83bf-411b-87c0-c4e6be0af62a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1070202/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1070493/
  
URLhaus
https://urlhaus.abuse.ch/url/1070324/
  
URLhaus
https://urlhaus.abuse.ch/url/1068118/
  
URLhaus
https://urlhaus.abuse.ch/url/1068120/
  
URLhaus
https://urlhaus.abuse.ch/url/1068122/
  
URLhaus
https://urlhaus.abuse.ch/url/1070203/
  
URLhaus
https://urlhaus.abuse.ch/url/1070255/
  
URLhaus
https://urlhaus.abuse.ch/url/1070320/
  
URLhaus
https://urlhaus.abuse.ch/url/1068115/
  
URLhaus
https://urlhaus.abuse.ch/url/1070744/
  
URLhaus
https://urlhaus.abuse.ch/url/1070747/

Comments