MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9
SHA3-384 hash: 2432f6246dfd92b0655bfefce9158f8a267570ff8b2b6e0f425aab77f7178ab09c5a413ccec17b3a641602e2de781b6c
SHA1 hash: ab4899ffc60699b28a76f2e0cd3676b4677b9a4c
MD5 hash: 91debc889c24d97edeab1c65810b239c
humanhash: aspen-alabama-november-south
File name:header.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:316'272 bytes
First seen:2021-02-08 06:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f62a14e248f2127481edfc6a3731b11 (1 x Gozi)
ssdeep 6144:brqjOyBY+0GAmiNWafSHIWGGmHxrZv4fk6GFzGzg:/gX6+0Gl8WZGGmHnvd
Threatray 74 similar samples on MalwareBazaar
TLSH B5645B2B70D1C072E251D6BC98EAA7F1E650FD24DA48349361C43EAFF8770BE52C5686
Reporter JAMESWT_WT
Tags:dll Gozi isfb mise signed Ursnif

Code Signing Certificate

Organisation:Symantec Corporation
Issuer:VeriSign Class 3 Code Signing 2004 CA
Algorithm:sha1WithRSAEncryption
Valid from:2007-10-31T00:00:00Z
Valid to:2010-11-24T23:59:59Z
Serial number: 758f5ee8263b6694719d8434eb998608
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f67dda8679c10547d47fbc3bd71d98953d4f73fc60c50035e6f366e3da6395c2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Downloads.zip
Verdict:
Malicious activity
Analysis date:
2021-02-08 06:48:02 UTC
Tags:
loader trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/c228bf71-5682-4e4f-a41a-55802bc01712

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116009/
Detection(s):
SecuriteInfo.com.Malware-Cryptor.Limpopo.59.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending a UDP request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/601518
Signature
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349776 Sample: header.dll Startdate: 08/02/2021 Architecture: WINDOWS Score: 60 25 atomproc.com 2->25 35 Yara detected  Ursnif 2->35 37 Machine Learning detection for sample 2->37 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        signatures6 39 Writes or reads registry keys via WMI 11->39 41 Writes registry values via WMI 11->41 16 iexplore.exe 2 70 14->16         started        process7 process8 18 iexplore.exe 5 153 16->18         started        21 iexplore.exe 25 16->21         started        23 iexplore.exe 29 16->23         started        dnsIp9 27 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49750, 49751 YAHOO-DEBDE United Kingdom 18->27 29 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49752, 49753 FASTLYUS United States 18->29 33 10 other IPs or domains 18->33 31 ocsp.sca1b.amazontrust.com 143.204.15.203, 49769, 49770, 80 AMAZON-02US United States 21->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 06:54:06 UTC
File Type:
PE (Dll)
Extracted files:
60
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xll4pjcvhjqa33xsl7s6fgzc7s5aluzpsfktklis7bbybafqp6uq._file
Verdict:
malicious
Similar samples:
184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
99b6752f4009fd4bbf0c62cf0f30285fbf28bbdd3c5b7fee0bf1b7fe20a8a406
Gozi
b5bca2548051f7a0bccedd44ae018dfe9df7632ecb9c7c7ff98a6aadecc985b3
Gozi
d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7
Gozi
ff84091bb6f0eee80d98d41baf3ea143b48502d3933c0d9097abdf99618ffcf8
Gozi
+ 64 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210208-7c97leh76s/
Behaviour
Modifies Internet Explorer Phishing Filter
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9
MD5 hash:
91debc889c24d97edeab1c65810b239c
SHA1 hash:
ab4899ffc60699b28a76f2e0cd3676b4677b9a4c
Link:
https://www.unpac.me/results/ec0677df-6860-411d-8bc8-53a79667bbb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116009/
  
URLhaus
https://urlhaus.abuse.ch/url/994733/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/994735/
  
URLhaus
https://urlhaus.abuse.ch/url/994734/
  
URLhaus
https://urlhaus.abuse.ch/url/994736/
  
URLhaus
https://urlhaus.abuse.ch/url/994732/

Comments