MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
SHA3-384 hash: 735bd20c00565e89ea9d029918a215f9ee8e0352ad290252cdbda0d7d86098d1fb9a42ee3473d8e9ac20c0c61923ca77
SHA1 hash: be672f1a3e7633aef5c810339a2db9dfe1e4d2b8
MD5 hash: 93d389d780ff703bd53b923f144f21aa
humanhash: black-romeo-grey-potato
File name:93d389d780ff703bd53b923f144f21aa.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:169'984 bytes
First seen:2021-03-16 19:39:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8a2d10d675a05af75649cf71c3f5b77f (1 x Gozi)
ssdeep 3072:N5imRyRGJk3vrqIr1LU680lex/V97gSff5XMAV:jQRsk3To680lad51RMAV
TLSH A0F39C1172E1C4F3F196153148A5C6B50A36FCB68F2156C77BC47BAE5E322E29A3A343
Reporter abuse_ch
Tags:exe Gozi RigEK Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93d389d780ff703bd53b923f144f21aa.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 19:49:34 UTC
Tags:
trojan gozi ursnif dreambot evasion stealer
Link:
https://app.any.run/tasks/dedb6062-a210-44bb-abaa-8d0d25b91353

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124441/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.30062.8957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Sending a UDP request
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5211a656-7ed6-4b03-8605-6a82be75e135
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/641349
Signature
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369648 Sample: ExHsQNJ117.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 50 8.8.8.8.in-addr.arpa 2->50 52 1.0.0.127.in-addr.arpa 2->52 54 resolver1.opendns.com 2->54 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 9 mshta.exe 19 2->9         started        12 ExHsQNJ117.exe 2->12         started        14 iexplore.exe 1 55 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 78 Suspicious powershell command line found 9->78 18 powershell.exe 9->18         started        80 Detected unpacking (changes PE section rights) 12->80 82 Detected unpacking (overwrites its own PE header) 12->82 84 Modifies the context of a thread in another process (thread injection) 12->84 86 3 other signatures 12->86 22 iexplore.exe 31 14->22         started        25 iexplore.exe 29 14->25         started        27 iexplore.exe 29 14->27         started        29 iexplore.exe 31 16->29         started        31 iexplore.exe 35 16->31         started        process6 dnsIp7 46 C:\Users\user\AppData\...\xn4ulbph.cmdline, UTF-8 18->46 dropped 48 C:\Users\user\AppData\Local\...\1axofwj2.0.cs, UTF-8 18->48 dropped 70 Modifies the context of a thread in another process (thread injection) 18->70 72 Maps a DLL or memory area into another process 18->72 74 Compiles code for process injection (via .Net compiler) 18->74 76 Creates a thread in another existing process (thread injection) 18->76 33 csc.exe 18->33         started        36 csc.exe 18->36         started        38 conhost.exe 18->38         started        56 massidfberiatersksilkavayssstezya.ru 31.148.99.142, 49747, 49748, 49749 IHOR-ASRU Czech Republic 22->56 58 192.168.2.1 unknown unknown 25->58 60 sibedriamasterkkmoderatordstezya.ru 45.130.151.85, 49742, 49743, 49745 MARKTELRU Russian Federation 29->60 file8 signatures9 process10 file11 42 C:\Users\user\AppData\Local\...\xn4ulbph.dll, PE32 33->42 dropped 40 cvtres.exe 33->40         started        44 C:\Users\user\AppData\Local\...\1axofwj2.dll, PE32 36->44 dropped process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 07:59:43 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkfftkxnrhoxzbuwu7ld7itwg2e34ar2jj3jf5r5sugyxer3mfka._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8005 banker trojan
Link:
https://tria.ge/reports/210316-lqwa1z8zfa/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
ssddl2.microsoft.com
siberiarrmaskkapsulrttezya.ru
sibedriamasterkkmoderatordstezya.ru
massidfberiatersksilkavayssstezya.ru
dolsggiberiaoserkmikluhasya.chimkent.su
dolsibegriaosersk4ermanderezya.chimkent.su
rdosdripakloserikabyatezya.chimkent.su
rusddripakoloserufinurtdrfezya.chimkent.su
ripakteenrufinishryeuliliezya.ru
rufiteemnisripakhglassdzya.ru
rufinisrufripakhmileronurzya.ru
rurugyrfripakinishtokokusstezya.ru
rufislomnishsripakerdfnstezya.adygeya.su
adav.microsoft.com
stratosferiss.ru
miniklanssstoezya.ru
sbigaschyress.chimkent.su
bigsachyd.abkhazia.su
sbsigachyeytezya.ru
sbigfachykatezya.ru
fgbiggachykvangdikezya.adygeya.su
zstremniagrazaautobanya.club
stremnaarumndadstezya.com
zastremnesddstezya.ru
minstremnstoun.ru
stremnrootttd.ru
stremnntveinee.chimkent.su
zastremnsamohodkakas.agency
Unpacked files
SH256 hash:
d205f030da71f4967a3524eba124e588d7924b13752a8dcf694ab41c5bfe32ef
MD5 hash:
f76936131edbaede06e14867b8fe4873
SHA1 hash:
9f291dd75e48efe7654c152e9972c4573986f006
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7d0bf06-4e27-436a-9894-adffdd4eaa69/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
298d0ff74e2d7a07d367709d17b599bd3e9f756c866829cf2f262d83f02645ac
MD5 hash:
1f12d6d3bf04a979e540dc0f95fcf87e
SHA1 hash:
2f93e036427dde49417e358467041e26050100c9
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7d0bf06-4e27-436a-9894-adffdd4eaa69/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
MD5 hash:
93d389d780ff703bd53b923f144f21aa
SHA1 hash:
be672f1a3e7633aef5c810339a2db9dfe1e4d2b8
Link:
https://www.unpac.me/results/a7d0bf06-4e27-436a-9894-adffdd4eaa69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/124441/
  
URLhaus
https://urlhaus.abuse.ch/url/1070434/
  
Delivery method
Distributed via web download

Comments