MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180
SHA3-384 hash: dcce82a02c67fcc923049e19b5675607987a5995f640c0f6c1f88d64472215ea63c788c86a6f0e54ab42c65bfd3d59b0
SHA1 hash: af32286f8eaf266d4ee609aca40cad4a2221717b
MD5 hash: fb4868e55a1dc8b84833262ac5ff6254
humanhash: jig-cold-bulldog-freddie
File name:6135e5651eada.tar
Download: download sample
Signature Gozi
Create hunting rule
File size:376'832 bytes
First seen:2021-09-06 10:12:37 UTC
Last seen:2021-09-06 21:46:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 56afa8935a33a8701aa82a9274230e42 (1 x Gozi)
ssdeep 6144:8pW5yM4eF6MOl7SfFPFY0Hi1PkZkWM6gm2X4cCC8rJpDvjM:8Q5yB78fFPTHi1Pku6gjIcC3FlM
Threatray 1'903 similar samples on MalwareBazaar
TLSH T11284E012B7E2E0B0D06E463ABC60DCE55A9C7C616F345897B7C42F9F6A33091563A70B
Reporter ffforward
Tags:Cutwail dll enel EnelEnergia Gozi tar Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185633/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e26be077-59ef-4497-b4ad-3098cf250c33
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/845925
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 10:13:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7ltcopyowfqiuennbz52kibdkzvwm3lopwobvhka4idthewagaa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
Gozi
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
Gozi
+ 1'893 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210906-l84sbsahf7/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
lureborufer.store
dureborufer.store
Unpacked files
SH256 hash:
2889137d866cc4c5859a4372fc2e1de6a3c8e299839b20a6ea9aa9da2eac9195
MD5 hash:
2702857c552e001a49ea1b0e1604fc9e
SHA1 hash:
34bcd9532ccc4035e30a8d2be5e5a009b1fd0cf5
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e40b25e0-69bf-4729-a418-c7db0566d1fa/
Parent samples :
b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180
0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682
SH256 hash:
b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180
MD5 hash:
fb4868e55a1dc8b84833262ac5ff6254
SHA1 hash:
af32286f8eaf266d4ee609aca40cad4a2221717b
Link:
https://www.unpac.me/results/e40b25e0-69bf-4729-a418-c7db0566d1fa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b7d73139f875/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xls c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e

Gozi

DLL dll b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180

(this sample)

  
Link
https://tria.ge/210906-ly332sahe7
  
URLhaus
https://urlhaus.abuse.ch/url/1596614/
  
Dropped by
SHA256 c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185633/

Comments