MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
SHA3-384 hash: 09ba460744a6e0517164eb47ae3f113d3e1ea0f818ffdbf66bd4c0443d011114978afcd94650d973584bdf8d12eaa02f
SHA1 hash: caf87c9fa89e4f6039a3c296bbcd7ffce4cdf829
MD5 hash: 04447a2725f293f8a9746b0db58fa832
humanhash: lion-magnesium-network-three
File name:04447a2725f293f8a9746b0db58fa832
Download: download sample
Signature Gozi
Create hunting rule
File size:446'464 bytes
First seen:2022-06-14 08:58:50 UTC
Last seen:2023-05-24 08:07:06 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d31c477cc159d9752f6e8ef56c0d2af9 (2 x Gozi)
ssdeep 6144:OgMK+UjmlPHBQKICVMLSzJvvsb2Z1tDDnaARYcri8f4XAIrIiG:OLK+JPHBcCVMLSzJvvQ2Z1Za8gXAIHG
Threatray 553 similar samples on MalwareBazaar
TLSH T11294BF06EE3BD678C7B9553FD616321B26A77038EE38D0E78353946A202589DA33D707
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
697
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279706/
Detection(s):
SecuriteInfo.com.Artemis04447A2725F2.24648.2872.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62a84dda73b91c38f68d68c3/reports/0a5df6ff-dae3-4e13-a2ae-7cecbe66c04a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2824b533-7028-4660-a905-181f250eba84
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1012715
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 08:59:09 UTC
File Type:
PE (Dll)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whillngoknonx4fy7pjbzbmd7ow6kjbw3jk7xn6b2tdv2r7mu5oa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00f830a0748680a63981f427ece7c3f4a989d97431dc1f4e78706eb8987a8286
Gozi
2d83e172a42b032b32606b203f2a1a9736acfd86e76ede8ff57b3292c035d139
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
Gozi
e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
Gozi
f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Gozi
fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959
Gozi
+ 543 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker suricata trojan
Link:
https://tria.ge/reports/220614-kxp95ahbf7/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.226.15
109.230.199.114
xmhomestilesh.at
geodezhols.at
31.214.157.87
194.76.224.26
Unpacked files
SH256 hash:
9fe764ec2cf232b5cf3afbdac83da4846ab4a7e11e5fda936097eec79bffa72b
MD5 hash:
00c5cefd7b8d986960d52fb37aad1f38
SHA1 hash:
fabf6f9f6890f94725c9556b671f62816b657b35
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/507d251b-1cff-4658-9e86-615b7d483ff0/
Parent samples :
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
SH256 hash:
98597fda3d59d47823d855d858f5a6c080762fc4733e5223ce973cd519ab3b3f
MD5 hash:
97ac42a1b0dfca519dce455eff5471b2
SHA1 hash:
22830124d3f23dc97383c85bf050431b04b07680
Link:
https://www.unpac.me/results/507d251b-1cff-4658-9e86-615b7d483ff0/
SH256 hash:
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
MD5 hash:
04447a2725f293f8a9746b0db58fa832
SHA1 hash:
caf87c9fa89e4f6039a3c296bbcd7ffce4cdf829
Link:
https://www.unpac.me/results/507d251b-1cff-4658-9e86-615b7d483ff0/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1d0b5b4ce53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279706/

Comments