MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e
SHA3-384 hash: e9f7117e3ed4401b963e09eb858fcc67ee321da06a23f326bd54d667ee387ac4c6a877c094fffb40a5422f502c9da749
SHA1 hash: 2cbd8467ed47dbbf4336c86470b0bba59f2209d0
MD5 hash: 8dbb13177f1711829695cbb3226737d1
humanhash: bakerloo-wyoming-bakerloo-william
File name:8dbb13177f1711829695cbb3226737d1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:39'936 bytes
First seen:2022-07-29 14:01:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0d3ce1aa4e05aa830613233bf85702d3 (3 x Gozi)
ssdeep 768:A2yrU7eukUXM7dbNVvWWyQ1fbbFh6M5PhR3xtIJucXWXbuRRc6Pg59:gaeuZM79NsWlfb5hB5PhR3xiucXWruM9
Threatray 732 similar samples on MalwareBazaar
TLSH T1E303E012AD4158B7E5D6053272A027AEDA3543240325A8C6E702783CDD8749F7EFF783
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:dll Gozi isfb

Intelligence

File Origin
# of uploads :
1
# of downloads :
458
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295081/
Detection(s):
Win.Malware.GoziISFB-9940853-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gozi packed razy ursnif wacatac
Link:
https://www.filescan.io/uploads/62e3e8b7bcf76fcb6cce3e6a/reports/8a6bce99-7f28-4020-b924-0277c4fc7e3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed9c16b7-79f1-44e0-a1db-0be8b9d80f7a
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043144
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 675640 Sample: D6kStEg2Mb.dll Startdate: 29/07/2022 Architecture: WINDOWS Score: 100 24 trackingg-protectioon.cdn1.mozilla.net 2->24 40 Snort IDS alert for network traffic 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 3 other signatures 2->46 8 loaddll32.exe 13 2->8         started        signatures3 process4 dnsIp5 28 194.76.225.101, 49937, 49938, 49939 RACKPLACEDE Germany 8->28 30 192.168.2.1 unknown unknown 8->30 32 trackingg-protectioon.cdn1.mozilla.net 8->32 52 Found evasive API chain (may stop execution after checking system information) 8->52 54 Found API chain indicative of debugger detection 8->54 56 Writes or reads registry keys via WMI 8->56 58 Writes registry values via WMI 8->58 12 cmd.exe 1 8->12         started        14 regsvr32.exe 12 8->14         started        18 rundll32.exe 12 8->18         started        signatures6 process7 dnsIp8 20 rundll32.exe 12 12->20         started        34 185.189.151.232, 49854, 49855, 49860 AS-SOFTPLUSCH Switzerland 14->34 36 trackingg-protectioon.cdn1.mozilla.net 14->36 60 Writes or reads registry keys via WMI 14->60 62 Writes registry values via WMI 14->62 38 trackingg-protectioon.cdn1.mozilla.net 18->38 64 System process connects to network (likely due to code injection or exploit) 18->64 signatures9 process10 dnsIp11 26 trackingg-protectioon.cdn1.mozilla.net 20->26 48 System process connects to network (likely due to code injection or exploit) 20->48 50 Writes registry values via WMI 20->50 signatures12
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-07-29 13:49:02 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xo5dtcshwntdd2owt46xvm3kyqaev5aaysku7mlq7y7kivuyeeha._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
Gozi
31ce3caa362e5a6f3f453fa4a2e90a169b9eddd7fe139f8201aeb3314901c3a4
Gozi
34437641a6b16fcbc6a726c0eabcebf0e9abccb3a878aee2d0a7797c0dd4eae9
Gozi
443cecb542d49aea7e3f1f49ca814edecf0e85759f3f430ee66932cff72f37d0
Gozi
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
Gozi
67e7795e841eb31d9bcf22fcbe452092aa6b14795e807a219f6b68887c32f130
Gozi
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
Gozi
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
Gozi
fb4ce70ec79c9112388019eeee847615403b8a8bd28cccfbf0eb631477a10f8b
Gozi
+ 722 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:44444 banker trojan
Link:
https://tria.ge/reports/220729-rb4zqababm/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
trackingg-protectioon.cdn1.mozilla.net
185.189.151.232
194.76.225.101
185.212.47.30
109.230.199.124
gomegodasto.at
Unpacked files
SH256 hash:
db07f3ce9017c00b4644198a3bbb974bde1ebce15a2a11818a41b8fe7d04cb93
MD5 hash:
f3bc1f84199d0cf3c4be8eb105be50e4
SHA1 hash:
ed79568284dc17d2e509eab9a74d8b7102844dc2
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/70ce3a9d-0386-4324-ba85-a4f6173c805e/
SH256 hash:
bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e
MD5 hash:
8dbb13177f1711829695cbb3226737d1
SHA1 hash:
2cbd8467ed47dbbf4336c86470b0bba59f2209d0
Link:
https://www.unpac.me/results/70ce3a9d-0386-4324-ba85-a4f6173c805e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbba398a47b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ISFB
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll bbba398a47b36631e9d69f3d7ab36ac4004af400c4954fb170fe3ea45698210e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2262597/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295081/

Comments