MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
SHA3-384 hash: 50c30ccb28fda0f014d08ff4fc69b51fa320d6b22de53a3579dc783c99a7789bb309feb1d966d68405f7dec3ec6e5147
SHA1 hash: 6d721f3765720164e6948099415a1bf31c815b05
MD5 hash: 1d7d87f0c36eb1ccc1d4d386763ce844
humanhash: leopard-oxygen-table-undress
File name:xspcd.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:483'328 bytes
First seen:2020-12-03 10:10:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e6e52f9692f213d67964fdf77e570f45 (1 x Gozi)
ssdeep 6144:XqMJop5K+0As4GDFh8J5mPkiztP4EY9YV0VXttVCw/m0NxRQvabuq8cch5FG7h8K:6yop5K+0AHyF5tgEsY49mwu0Nfxy4LV
Threatray 74 similar samples on MalwareBazaar
TLSH C5A4F125BAAA9470D013843608879F26E77EBDB13B2566C337FDECD76F204D0693A149
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106576/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/554523
Signature
Creates a COM Internet Explorer object
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326360 Sample: xspcd.dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 68 29 Found malware configuration 2->29 31 Yara detected  Ursnif 2->31 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 68 2->9         started        process3 signatures4 33 Writes or reads registry keys via WMI 6->33 35 Writes registry values via WMI 6->35 37 Creates a COM Internet Explorer object 6->37 11 rundll32.exe 6->11         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        18 iexplore.exe 35 9->18         started        21 iexplore.exe 7 9->21         started        23 iexplore.exe 6 9->23         started        25 iexplore.exe 29 9->25         started        process5 dnsIp6 39 Writes registry values via WMI 11->39 41 Creates a COM Internet Explorer object 11->41 27 192.168.2.1 unknown unknown 18->27 signatures7
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 10:10:09 UTC
File Type:
PE (Dll)
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4a3r3hi6vupo27oo7ebfnd2jrdmpklju5wdw2nt77oinvmgkt3q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 64 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-tldhnax8hj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
MD5 hash:
1d7d87f0c36eb1ccc1d4d386763ce844
SHA1 hash:
6d721f3765720164e6948099415a1bf31c815b05
Link:
https://www.unpac.me/results/f4989307-dc65-4206-b167-1f1390f434b1/
SH256 hash:
8a34ce9439c14ffef1a1383d6e644ef602242edcb275aa3de994401b1b6824a6
MD5 hash:
1beed1a534d78aa4a7ed80a97bbbf78f
SHA1 hash:
c67ff65dd373b69b41f3e89a85212daada3c2a2f
Link:
https://www.unpac.me/results/f4989307-dc65-4206-b167-1f1390f434b1/
SH256 hash:
565b18e17db98d9820dfd504ad5239806734c7e434fe605e5caaf2b4619036fd
MD5 hash:
32552af170552def743ad513a911babf
SHA1 hash:
18d330e627cc64dccec350d61581c6ddf3c07c6f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f4989307-dc65-4206-b167-1f1390f434b1/
Parent samples :
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106576/

Comments