MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
SHA3-384 hash: 1067c20979b0efff6ff8dd1eb4cfe5939244b67a2a4bebac0e4f3826176d1861f744cb07cf65468aa7c33fc44f2d6f33
SHA1 hash: d790b9fc4b6e37035357f1bcf3948b66c6931f15
MD5 hash: b39e97bde83db04c795d18b8f67e19ea
humanhash: florida-pip-sixteen-floor
File name:b39e97bde83db04c795d18b8f67e19ea.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:136'704 bytes
First seen:2021-11-22 12:47:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4c89e39b5ebc619c69b957c6b4f65780 (6 x Gozi)
ssdeep 3072:f+7lF7w3CGyy+7z/2/zS4cfYOqrYLlaWYpPBlGVE7Iha/:HCP7EcfYVkRa9BsW6a/
Threatray 518 similar samples on MalwareBazaar
TLSH T133D3BF01B6D1C475EABF16310474D6B25F3D7A11CBE09EEB2B96072A4E701C0EE3AD66
Reporter abuse_ch
Tags:dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
593
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  10/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/619b918494a88037d2fe57e1/reports/3ad27218-5f97-46c5-ac12-7fcb2d57a485/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62bbd943-944b-4681-b5e5-f16946e3fa32
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/893819
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 526297 Sample: tebdXHvUhB.dll Startdate: 22/11/2021 Architecture: WINDOWS Score: 80 28 technoshoper.com 2->28 30 avolebukoneh.website 2->30 64 Found malware configuration 2->64 66 Yara detected  Ursnif 2->66 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 44 avolebukoneh.website 37.120.206.119, 443, 49874, 49875 M247GB Romania 8->44 46 technoshoper.com 45.9.20.245, 443, 49852, 49853 DEDIPATH-LLCUS Russian Federation 8->46 48 2 other IPs or domains 8->48 72 Writes or reads registry keys via WMI 8->72 74 Writes registry values via WMI 8->74 12 cmd.exe 1 8->12         started        14 regsvr32.exe 8->14         started        18 rundll32.exe 8->18         started        20 3 other processes 8->20 signatures6 process7 dnsIp8 22 rundll32.exe 12->22         started        50 technoshoper.com 14->50 52 avolebukoneh.website 14->52 60 2 other IPs or domains 14->60 76 Writes or reads registry keys via WMI 14->76 78 Writes registry values via WMI 14->78 54 technoshoper.com 18->54 56 avolebukoneh.website 18->56 62 2 other IPs or domains 18->62 80 System process connects to network (likely due to code injection or exploit) 18->80 58 192.168.2.1 unknown unknown 20->58 26 iexplore.exe 7 146 20->26         started        signatures9 process10 dnsIp11 32 technoshoper.com 22->32 34 avolebukoneh.website 22->34 40 2 other IPs or domains 22->40 68 System process connects to network (likely due to code injection or exploit) 22->68 70 Writes registry values via WMI 22->70 36 dart.l.doubleclick.net 216.58.215.230, 443, 49794, 49795 GOOGLEUS United States 26->36 38 ad-delivery.net 104.26.3.70, 443, 49796, 49797 CLOUDFLARENETUS United States 26->38 42 8 other IPs or domains 26->42 signatures12
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 12:48:10 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtrsrpvzvz4oyj45yf57oaovrsy47ijp6vyladdyycw2ncj4qdhq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301
Gozi
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
Gozi
905140bb6e354057839e731eab636855cb5d35ef7fefd43c195b7960fa10cfa0
Gozi
b82a1d06e5650808ae0b9ef1a77cc6047ca0601b13a9afa8cded17a93e27cda9
Gozi
cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab
Gozi
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
Gozi
f9fd7b6794b5579f64c034d1cfd0adbc5c4c5ef433d0e9f2b6ff95d58d3d7201
Gozi
+ 508 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker suricata trojan
Link:
https://tria.ge/reports/211122-p1r1cafebk/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
microsoft.com/windowsdisabler
https://technoshoper.com
https://avolebukoneh.website
http://technoshoper.com
http://avolebukoneh.website
Unpacked files
SH256 hash:
a98563af81949a6f5268994c523cad9c7ef028418e4fc84d446a021382e6e14c
MD5 hash:
cdf3bdc294b699f25b8d6ff8c1a2171e
SHA1 hash:
bd28cb6aa90934cbaf6fd52c68271c4f4fffbb60
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d2da028f-23c2-4d38-a823-a05e661dfc3a/
Parent samples :
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
b82a1d06e5650808ae0b9ef1a77cc6047ca0601b13a9afa8cded17a93e27cda9
bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
43440e9a6d2d0a68b84f7885fda26748fa86de6ca709a883959e2640f3f706bf
5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
450a436cf830b03533a2ce0d8d40724d61c8b0e5f8164413c05d2c870b4ba8eb
SH256 hash:
bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
MD5 hash:
b39e97bde83db04c795d18b8f67e19ea
SHA1 hash:
d790b9fc4b6e37035357f1bcf3948b66c6931f15
Link:
https://www.unpac.me/results/d2da028f-23c2-4d38-a823-a05e661dfc3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1804265/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208154/

Comments