MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f
SHA3-384 hash: e32c363ff98753311a5000849896b321738ab389f5863424d318584eb7c745cc720a9336bc28d816a0679973cd2eb7f1
SHA1 hash: dd3bee45198e9f567730dfaf3021a4d97eae7c8b
MD5 hash: 82319fa42f3cee876324384e7c456332
humanhash: fanta-stream-nitrogen-shade
File name:82319fa42f3cee876324384e7c456332.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:294'912 bytes
First seen:2021-05-31 09:00:03 UTC
Last seen:2021-05-31 09:56:55 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5da9c1536791db8e15c4dba7afbc1065 (1 x Gozi)
ssdeep 3072:zOQ5+44D+WP4UlkqUftsqe35rvbydbUMnZp19KYHqAxmAmc+KOQDybhraGPLibbK:z44aaTJheRbSbUq9KqqAx0cmGGYiUe
Threatray 325 similar samples on MalwareBazaar
TLSH 2454C01036D1C0B2D19201BE8405D75487BEBC518E261F9B3BED0EDF6F7E6A29366392
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163394/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31453.812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/794586
Signature
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426982 Sample: a9FUs89dWy.dll Startdate: 31/05/2021 Architecture: WINDOWS Score: 64 25 roudinoden.club 2->25 27 cloudinoren.club 2->27 29 19 other IPs or domains 2->29 37 Found malware configuration 2->37 39 Yara detected  Ursnif 2->39 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 1 51 2->11         started        signatures3 process4 signatures5 41 Writes or reads registry keys via WMI 8->41 43 Writes registry values via WMI 8->43 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        20 iexplore.exe 24 11->20         started        process6 dnsIp7 45 Writes registry values via WMI 13->45 23 rundll32.exe 16->23         started        31 outlook.com 40.97.161.50, 443, 49754, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->31 33 FRA-efz.ms-acdc.office.com 52.97.250.242, 443, 49761, 49762 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->33 35 5 other IPs or domains 20->35 signatures8 process9
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f/
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 09:00:15 UTC
AV detection:
1 of 47 (2.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5lltxfrfncab3n3a5sdbthq5temgoq2ie5hbpp3dll3ds67lahq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e53caa0529020312a9092b409c2a38d6ddf0c3d2786832a514657ca617df770f
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef
Gozi
+ 315 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210531-7cvdgad88a/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
roudinoden.club
cloudinoren.club
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/163394/
  
URLhaus
https://urlhaus.abuse.ch/url/1306519/
  
Delivery method
Distributed via web download

Comments