MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
SHA3-384 hash: df140fa036565b875ad24baeba1de48262760d0fe233d26f4825845393eaaf8ddd21e09185c300f18f657ea3ac4bfa43
SHA1 hash: d823e8bee4119e95b7046785525c928706c5cb02
MD5 hash: a133bf254779831981467cd73545012b
humanhash: nitrogen-mockingbird-berlin-washington
File name:servizi.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:143'360 bytes
First seen:2020-09-25 09:38:08 UTC
Last seen:2020-09-25 13:11:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 628ada911d4e4d6c3bae8cdcd9a9f3c7 (1 x Gozi)
ssdeep 3072:qdmhWxAL9CZtcnXp2kCNMmNqi2cK3zqOz/3WNofDoegBv9cd01+Y:O+WxA5C+hIp0zr/lLJgBv96
Threatray 27 similar samples on MalwareBazaar
TLSH 77E3AE2B34DC2CCCC45F22797C69D7834BCFA4381F96B2084DE4668CD49BA96D921791
Reporter Anonymous
Tags:Gozi isfb2 Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
409
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65758/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Pate.ch.2257.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Setting a global event handler
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/474942
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 09:40:09 UTC
File Type:
PE (Dll)
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
06dd35ce0c9b164f9ecafc4269d91fb8a23634d541ec455dfcd4dcd624523f4b
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
a37a3be0bddd0cb696900b5acf220c32c40e9dfe8d2e41f85a4ca5c0e6fd9307
Gozi
b958fb921a0e3bcc14962b3771f610e972526713f70bd36437b3f299fd252e52
Gozi
ceafed22728ab72aa4a74dc2fc96d54b85ec0432ef0c97a4497075cc802109d3
Gozi
d7c37dced460635f71add15aa5071cdd82d73ab250c7f3104387bcdceb7ddced
Gozi
dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
+ 17 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/200925-1kybs8scf6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
MD5 hash:
a133bf254779831981467cd73545012b
SHA1 hash:
d823e8bee4119e95b7046785525c928706c5cb02
Link:
https://www.unpac.me/results/efa36596-93ed-4faf-a46d-51eb067d0eca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65758/
  
URLhaus
https://urlhaus.abuse.ch/url/611415/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/611541/
  
URLhaus
https://urlhaus.abuse.ch/url/611555/
  
URLhaus
https://urlhaus.abuse.ch/url/611542/
  
URLhaus
https://urlhaus.abuse.ch/url/611381/

Comments