MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f
SHA3-384 hash: 13f000994ce1a75533f124d7fbae03f0d5e2f6833d09e8a7741fcf7f49382e5b36a495bf499f90b02e12903982c2a008
SHA1 hash: 0f727f35cded239371681678545328a25014c92e
MD5 hash: 649b5c913739cea195c7662ff412b8ce
humanhash: ohio-louisiana-item-zulu
File name:2200.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:389'632 bytes
First seen:2021-03-02 06:23:47 UTC
Last seen:2021-03-02 09:42:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1b86fe32916e9e09d908380089868a64 (1 x Gozi)
ssdeep 6144:HTMsOk36gUZ5UqnU/D+eibiNTUJAyHR4mroBN2urtNcN908/8TP7PHYNJ1oVOA26:HTSgQOVkicAyRjBur48X4NJB56zm+
TLSH 7884DA2DBEA5E04DFA2BEABD4440C17A06A0FC514B6329DF36C11E9B553B7C312785E2
Reporter wato_dn
Tags:Gozi isfb opendir Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120501/
Detection(s):
SecuriteInfo.com.Program.21732.31142.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/623251
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 360614 Sample: 2200.dll Startdate: 02/03/2021 Architecture: WINDOWS Score: 100 65 resolver1.opendns.com 2->65 67 c56.lepini.at 2->67 69 api3.lepini.at 2->69 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for URL or domain 2->101 103 8 other signatures 2->103 9 loaddll32.exe 1 2->9         started        11 mshta.exe 2->11         started        14 mshta.exe 2->14         started        signatures3 process4 signatures5 16 regsvr32.exe 2 9->16         started        19 rundll32.exe 9->19         started        21 cmd.exe 1 9->21         started        105 Suspicious powershell command line found 11->105 23 powershell.exe 11->23         started        26 powershell.exe 14->26         started        process6 file7 79 Detected Gozi e-Banking trojan 16->79 81 Writes to foreign memory regions 16->81 83 Allocates memory in foreign processes 16->83 85 Writes or reads registry keys via WMI 16->85 28 control.exe 16->28         started        87 Writes registry values via WMI 19->87 31 iexplore.exe 1 93 21->31         started        61 C:\Users\user\AppData\...\pko53gmf.cmdline, UTF-8 23->61 dropped 89 Modifies the context of a thread in another process (thread injection) 23->89 91 Maps a DLL or memory area into another process 23->91 93 Compiles code for process injection (via .Net compiler) 23->93 33 csc.exe 23->33         started        36 csc.exe 23->36         started        38 conhost.exe 23->38         started        63 C:\Users\user\AppData\Local\...\pdb15skb.0.cs, UTF-8 26->63 dropped 95 Creates a thread in another existing process (thread injection) 26->95 40 csc.exe 26->40         started        42 conhost.exe 26->42         started        signatures8 process9 file10 107 Changes memory attributes in foreign processes to executable or writable 28->107 109 Modifies the context of a thread in another process (thread injection) 28->109 111 Maps a DLL or memory area into another process 28->111 113 Creates a thread in another existing process (thread injection) 28->113 44 iexplore.exe 149 31->44         started        47 iexplore.exe 31->47         started        49 iexplore.exe 31->49         started        53 4 other processes 31->53 55 C:\Users\user\AppData\Local\...\pko53gmf.dll, PE32 33->55 dropped 51 cvtres.exe 33->51         started        57 C:\Users\user\AppData\Local\...\qgvfkcmr.dll, PE32 36->57 dropped 59 C:\Users\user\AppData\Local\...\20tyqkkn.dll, PE32 40->59 dropped signatures11 process12 dnsIp13 71 img.img-taboola.com 44->71 73 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49740, 49741 YAHOO-DEBDE United Kingdom 44->73 77 9 other IPs or domains 44->77 75 api10.laptok.at 34.65.108.95, 49757, 49758, 49760 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 47->75
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4s2nyluzvciu4qpc6kzskinh4au7uwrkiny3yo5z4ubso5i2cpq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2200 banker trojan
Link:
https://tria.ge/reports/210302-1aeb4a8vln/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Unpacked files
SH256 hash:
8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
MD5 hash:
f52995516bb061fa7bc7f788b131cb68
SHA1 hash:
b8a808b508e57794aae41dc3e6d9ae64be0c0cce
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e07c4cd5-a9e5-403f-b67f-3279d688caf0/
Parent samples :
f30b3f53f613d953680fdde8faf35c96a25a1136d0dd6c7aab1cc14ee908702c
51992453cfe179fa3a637985cba9f5a6d5ab495a268e000f480086821c009f3b
b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f
1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7
7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50
SH256 hash:
b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f
MD5 hash:
649b5c913739cea195c7662ff412b8ce
SHA1 hash:
0f727f35cded239371681678545328a25014c92e
Link:
https://www.unpac.me/results/e07c4cd5-a9e5-403f-b67f-3279d688caf0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/120501/
  
URLhaus
https://urlhaus.abuse.ch/url/1041994/
  
Delivery method
Distributed via web download

Comments