MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
SHA3-384 hash: 415a91c6b4340e07d1e0fc4ecea735a22d36ef8775afdb5e02234553536156b49b2fdd13b10173a9430cfbf368b2e683
SHA1 hash: dfb603663f5de381eafb617dccf51a2c30f34a4d
MD5 hash: caec766872f0fc3c7e4af0bf1e5cc939
humanhash: march-magnesium-equal-sierra
File name:cessentl1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:460'288 bytes
First seen:2021-03-25 17:03:06 UTC
Last seen:2021-03-25 18:44:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fc9663872acc903d9517634be562458a (1 x Gozi)
ssdeep 12288:W/KhVbAxtEzp3RvgPy+Emg1DEGnn1pW4TIeP7aDBIOi:xDbOM3Vg6p1DEGnn1Jp6I
Threatray 625 similar samples on MalwareBazaar
TLSH A3A4D02272E18276D13346398870EA658F6DBD710B3491CB779C263B8F326D14B37A5E
Reporter Anonymous
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36517696.2188.15438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/654270
Signature
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376072 Sample: cessentl1.dll Startdate: 25/03/2021 Architecture: WINDOWS Score: 64 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected  Ursnif 2->49 7 loaddll32.exe 1 2->7         started        11 iexplore.exe 1 79 2->11         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        process3 dnsIp4 39 gotoregt.space 7->39 51 Writes or reads registry keys via WMI 7->51 53 Writes registry values via WMI 7->53 17 rundll32.exe 7->17         started        20 cmd.exe 1 7->20         started        22 rundll32.exe 7->22         started        24 iexplore.exe 33 11->24         started        27 iexplore.exe 36 11->27         started        29 iexplore.exe 33 11->29         started        31 6 other processes 11->31 33 2 other processes 13->33 35 2 other processes 15->35 signatures5 process6 dnsIp7 45 Writes registry values via WMI 17->45 37 rundll32.exe 20->37         started        41 gotoregt.space 45.67.228.186, 443, 49747, 49748 SERVERIUS-ASNL Moldova Republic of 27->41 43 192.168.2.1 unknown unknown 27->43 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 23:46:55 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
Gozi
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
Gozi
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Gozi
91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd
Gozi
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Gozi
be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Gozi
c788a7e6d4c74e709845a01627e3cd7bb596dabbafb75aaf3929315e4b58e3e1
Gozi
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Gozi
+ 615 additional samples on MalwareBazaar
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 banker trojan
Link:
https://tria.ge/reports/210325-fk36nwc2h6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi RM3
Unpacked files
SH256 hash:
3a61b0d24729f0ccfd55e5054f941c2741f083e1786170735d8f8421948e25fa
MD5 hash:
86749de9c65437994ec44291ab2020eb
SHA1 hash:
6e3aba181d9262c36a783753f2b33fa214a71bb6
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea87a8dd-0f23-4f1b-a556-15fa9c8a6dec/
SH256 hash:
afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
MD5 hash:
caec766872f0fc3c7e4af0bf1e5cc939
SHA1 hash:
dfb603663f5de381eafb617dccf51a2c30f34a4d
Link:
https://www.unpac.me/results/ea87a8dd-0f23-4f1b-a556-15fa9c8a6dec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/_CPResearch_/status/1375115498598322179

Comments