MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
SHA3-384 hash: 5e13f9bf8adead33a2583ce9bdbd62e2345d9596c1f2eda6110c294ac0cd233a8a9b51e799f12223198986d20fd762eb
SHA1 hash: d9215e03d2ddae00041a4ddd731872025b3ce537
MD5 hash: b8bc8b1740b329ff2baf16bcee6ca23d
humanhash: mountain-happy-zebra-stairway
File name:aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Download: download sample
Signature Gozi
Create hunting rule
File size:854'016 bytes
First seen:2021-06-08 01:02:16 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3886a4d0545dd72353a1dfd84401a2b8 (1 x Gozi)
ssdeep 24576:QqUdwbd9vSNvA2rqFIYURXYdjB/i37HHgvd:/jR9v6LrqCYURXY3irHc
Threatray 760 similar samples on MalwareBazaar
TLSH 7305CF017981F436D52618368F64E5B10B2CBC240F685B8F33D45EBB6F6D6939A2873E
Reporter Anonymous
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165111/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.30566.19179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/798423
Signature
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430819 Sample: HP7cjYBnlS Startdate: 08/06/2021 Architecture: WINDOWS Score: 80 25 authd.feronok.com 2->25 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Yara detected  Ursnif 2->35 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 83 2->11         started        signatures3 process4 signatures5 37 Writes or reads registry keys via WMI 8->37 39 Writes registry values via WMI 8->39 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        20 iexplore.exe 39 11->20         started        process6 dnsIp7 41 Writes registry values via WMI 13->41 23 rundll32.exe 16->23         started        27 authd.feronok.com 47.254.173.212, 49735, 49736, 49742 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->27 signatures8 process9
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vl62me4objb3cu6maa5rd47f7kf7t2jj2i2w5rjwxey2btuyhkqq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
08dafa77d5b9a550504ff06b05afef539e6f669ba8c330e776fbff2a2cc31b81
Gozi
1346bf7820f12ebcb3b6924fcbbcde045b4819773b924f1524abec895efa78e4
Gozi
7059aa3319ad7b90402ce5e5d706571ec49778420065d34feb098ffbb6693e66
Gozi
8840a062340c8fe5dea458987115a53879cca745fdaccc40edf1c20b6a6f3861
Gozi
8f8268c13ddc484a180cff0dd8e764e328897e7a978d0f45e9c26de57f233106
Gozi
a75c290ca3dd70d57c3f2805fb7c5668d95402c0cea95f62054a47084200ef24
Gozi
b706c4069b014fee3dc18079519e77c9f75e8fc2736264866119a4c0a7bc06c3
Gozi
cf3c48e8101a18867fc13897761b7bdb375315a4e6fb6c590dd8b6ce1ed8d8d2
Gozi
d422be9c13a05834c38e162f3387cc787a8cc31c56998260d80f0544fdfbab5a
Gozi
f9df666658282d040451818e7134e4f8f7e5467dae5e390f79b541411a142738
Gozi
+ 750 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5500 banker trojan
Link:
https://tria.ge/reports/210608-ag88be4ghn/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
authd.feronok.com
app.bighomegl.at
Unpacked files
SH256 hash:
218c15eb2c06e0697ed6f0b5f7c7e53317c8f56b625cec33e076c67016dbe519
MD5 hash:
c5fe8707449befc20aeb04f2a75360d1
SHA1 hash:
e3996c5f1fd0780fa78e3eeac55755536946e302
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/996f30fa-42eb-4bc5-ac48-0b997c1b6b01/
SH256 hash:
aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
MD5 hash:
b8bc8b1740b329ff2baf16bcee6ca23d
SHA1 hash:
d9215e03d2ddae00041a4ddd731872025b3ce537
Link:
https://www.unpac.me/results/996f30fa-42eb-4bc5-ac48-0b997c1b6b01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165111/

Comments