MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb
SHA3-384 hash: 9e45c236ad3373558d9d2c6ede2512a37a5fd643da8f70b93bfff1f8969cf0a362dd0f74082ecf02fd27de2716e67121
SHA1 hash: cff7636028417b342903905cfa0d9e549f7f8e63
MD5 hash: 136837b24eb33a39fbb5d1b62ab167a5
humanhash: salami-hamper-yellow-white
File name:0x0007000000012676-63.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:416'270 bytes
First seen:2022-04-14 08:12:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a8623a9f960eb90e6d53152a0cbc3183 (1 x Gozi)
ssdeep 6144:RJupRq57t8gM1Fr0ATPWiSP2Re8J2xiSP2Re8J2xiSP2Re8J2xiSP2Re8J2:RgPqpt8gM1p0iPPk8k8k8k
Threatray 40 similar samples on MalwareBazaar
TLSH T16D94C371D4D12625DE9E8076BA5AC3FAD8FD14F09F5938FF1714A50A00292FB8172BA3
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
992
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0x0007000000012676-63.exe
Verdict:
No threats detected
Analysis date:
2022-04-14 08:15:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0afb5cbb-0d9c-4c1b-8853-b3198df99fe4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263617/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50130324.23337.5354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13819/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/6257d790ffe27d5119cbe4d4/reports/95c7fe02-ba24-46b1-8ca5-eceb7fc6ed5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a89b8fa-28e1-4773-b63c-2b34bb284fe4
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976671
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609158 Sample: 0x0007000000012676-63.exe Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 8 other signatures 2->73 10 0x0007000000012676-63.exe 2->10         started        13 mshta.exe 19 2->13         started        process3 signatures4 87 Detected unpacking (changes PE section rights) 10->87 89 Detected unpacking (overwrites its own PE header) 10->89 91 Writes or reads registry keys via WMI 10->91 93 2 other signatures 10->93 15 0x0007000000012676-63.exe 1 6 10->15         started        19 powershell.exe 31 13->19         started        process5 dnsIp6 53 146.70.35.138, 49729, 80 TENET-1ZA United Kingdom 15->53 55 Writes to foreign memory regions 15->55 57 Allocates memory in foreign processes 15->57 59 Modifies the context of a thread in another process (thread injection) 15->59 21 control.exe 1 15->21         started        61 Injects code into the Windows Explorer (explorer.exe) 19->61 63 Maps a DLL or memory area into another process 19->63 65 Creates a thread in another existing process (thread injection) 19->65 24 csc.exe 3 19->24         started        27 csc.exe 3 19->27         started        29 conhost.exe 19->29         started        signatures7 process8 file9 75 Changes memory attributes in foreign processes to executable or writable 21->75 77 Injects code into the Windows Explorer (explorer.exe) 21->77 79 Writes to foreign memory regions 21->79 81 4 other signatures 21->81 31 explorer.exe 4 3 21->31 injected 49 C:\Users\user\AppData\Local\...\l441cgz2.dll, PE32 24->49 dropped 34 cvtres.exe 1 24->34         started        51 C:\Users\user\AppData\Local\...\aycyg1xo.dll, PE32 27->51 dropped 36 cvtres.exe 1 27->36         started        signatures10 process11 signatures12 95 Self deletion via cmd delete 31->95 97 Disables SPDY (HTTP compression, likely to perform web injects) 31->97 99 Creates a thread in another existing process (thread injection) 31->99 38 cmd.exe 1 31->38         started        41 cmd.exe 31->41         started        43 RuntimeBroker.exe 31->43 injected process13 signatures14 83 Uses ping.exe to sleep 38->83 85 Uses ping.exe to check the status of other devices and networks 38->85 45 conhost.exe 38->45         started        47 PING.EXE 1 38->47         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 14:15:27 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwplog5kbuul76amx6tuendkvd3nbcwemphilpmxxgccvjvcxpfq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
32c049803e5e151d305c79a1067920a7eaa2dabb92fa7f33ef950097bba016f2
Gozi
53c98ffe8239d1b715de36fb51e0dfd87ffa02d11a2e9d5df3c010e9d6973354
Gozi
8645443ec7e6626f422be863c814e800e0d9d38eab5d97e6e05e199b9329ebbe
Gozi
9f1726bcf904de21195baee12c9e794e72aa7af04e891cd6733ea7520650195b
Gozi
a367e32ce4b41d2a43bbeab5792a4fa2ae51f673d00df6fc73d078c0ed22c68a
Gozi
d583c5524f63153a15bcc4ecf132b6d0b5bd91d30dcc6d787cb401f92a079b9f
Gozi
+ 30 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:555 banker suricata trojan
Link:
https://tria.ge/reports/220414-j4earsagfl/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unexpected DNS network traffic destination
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
Malware Config
C2 Extraction:
config.edge.skype.com
146.70.35.138
146.70.35.142
67.43.234.14
67.43.234.37
67.43.234.47
Unpacked files
SH256 hash:
86b9bdb5fcc93a427d35173d58c21dbc29cd9cdc01ca9ed04030294afb0747c8
MD5 hash:
4463ef3a6e4d653837423c173d5af0ee
SHA1 hash:
7ee80b4b1771818274dcc91f21c46215beb26394
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/14be21df-b81a-4b0e-ab1b-8115d603447f/
SH256 hash:
49b416b97faf79e0789533761b3c9c668b9809cb1ae9ef9a4db2e8d67676246d
MD5 hash:
d0ff288d69d051a54fe741800bbed820
SHA1 hash:
02325d2233925214507376900bc6a9a57aae4987
Link:
https://www.unpac.me/results/14be21df-b81a-4b0e-ab1b-8115d603447f/
SH256 hash:
9aa86c9bb942c4d3f08ddecebddb04d6fbe94e7e7a0ec82ff5c15ea473647ab7
MD5 hash:
84ebfc962659c0c2bcfd21d88011a78e
SHA1 hash:
ba0ee7844f34ecbf90ae17f3cd9ab6d7c6ae6a96
Link:
https://www.unpac.me/results/14be21df-b81a-4b0e-ab1b-8115d603447f/
SH256 hash:
bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb
MD5 hash:
136837b24eb33a39fbb5d1b62ab167a5
SHA1 hash:
cff7636028417b342903905cfa0d9e549f7f8e63
Link:
https://www.unpac.me/results/14be21df-b81a-4b0e-ab1b-8115d603447f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Suspicous dropper injector - possible ransomware dropper
Reference:SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263617/

Comments