MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
SHA3-384 hash: 1ab25de22b060c23cfa2e7c03fd2ca2d1fecf449526c991de5120928ea828dc928cd7273f8db57a4259e41b32cbcf672
SHA1 hash: c751f3ab4612917d15967fc1f0591e674c2e56ca
MD5 hash: 903cf677ba834a968b42bd71e4626a9d
humanhash: west-johnny-april-six
File name:903cf677ba834a968b42bd71e4626a9d.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:718'336 bytes
First seen:2021-10-11 13:57:10 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b5c6badd398e2e3aa283a40a40432c6c (3 x Gozi)
ssdeep 12288:1UAQSx16fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsF:1z3x16fq8Np6bTPPaBreaZlYCOSVol2S
Threatray 311 similar samples on MalwareBazaar
TLSH T14AE47D013980C032E6EE11768E35CAF5476C7C209B7099DFB7D47A2F6F795E2A229316
Reporter abuse_ch
Tags:brt dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
849
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196642/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.835.4834.28211.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/616442ecfd35fe780c382133/reports/5fe91fe9-6bc6-435c-b67d-70f10eeaeb91/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05a37df4-5a80-441d-8bd0-76ef0038f778
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/867881
Signature
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500309 Sample: 6yDD19jMIu.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 36 breuranel.website 7->36 38 areuranel.website 7->38 40 11 other IPs or domains 7->40 52 Writes or reads registry keys via WMI 7->52 54 Writes registry values via WMI 7->54 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Writes registry values via WMI 11->58 20 WerFault.exe 23 9 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 2 9 18->28         started        process8 dnsIp9 30 52.97.137.114, 443, 49844 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.97.219.162, 443, 49843, 49846 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 12 other IPs or domains 22->34 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures10
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 13:58:58 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wya2hsoduppzaq7kqjzt6hnfwqjsa7lvqxfgwgf2vcsnsi6oslma._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
18aeff30ba057010d7970ee026856ba163eece1adfaa8adf2bfb08bcad3186dc
Gozi
22cf76937043b616cb4c67bec58e329fecc91015329799f7b85abda1b2f6fde2
Gozi
304200fb6fd71dc1fd035c1c202a7e7ba4b2679d14592676322b2e550c7223d3
Gozi
37811565805d0410d1f88f67d722b4d51f3279421566878cf9382f57ab4b81b0
Gozi
3dd13a7ac7e2249f933efe211a4eb64dce0c13811da83e7c41f11c28d3aeac03
Gozi
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
Gozi
5a51457b8015e4f9db5a7f257d664dafcbbd8fcc278f9da68c94e2daf425b3a3
Gozi
f09569b61b068a70e2570e2df7bd6ee6c288f8ccc4bd03ceabdf3fb6893261d1
Gozi
f9fd7b6794b5579f64c034d1cfd0adbc5c4c5ef433d0e9f2b6ff95d58d3d7201
Gozi
fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac
Gozi
+ 301 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker trojan
Link:
https://tria.ge/reports/211011-q9tqzahdc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
msn.com/mail
breuranel.website
outlook.com/signup
areuranel.website
Unpacked files
SH256 hash:
cb10daa9771147e4fd240d5362907e9c747ead1000fbc68a56fa7dfdbf503413
MD5 hash:
4b685bc32ac83608f71965573ab560df
SHA1 hash:
31cab28fbc460bafe5306ce9ae86e094b07c92d3
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/efe11512-4929-4737-8547-ecfa31ed7c75/
Parent samples :
41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
SH256 hash:
c7424869eccc60a1822d74f4a70500633aa0161aa49dcff98ce49efa1ecd3525
MD5 hash:
9e90860419e750acc6e5b0ec99653539
SHA1 hash:
67482b8d172626049d0eb1636c0c8e28ece7402a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/efe11512-4929-4737-8547-ecfa31ed7c75/
SH256 hash:
b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
MD5 hash:
903cf677ba834a968b42bd71e4626a9d
SHA1 hash:
c751f3ab4612917d15967fc1f0591e674c2e56ca
Link:
https://www.unpac.me/results/efe11512-4929-4737-8547-ecfa31ed7c75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1666489/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196642/

Comments