MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4
SHA3-384 hash: d67074e631476177b405c9e2e2ccd90c2dd4d64b72bafd5a29a61864645379e79f69c60439c2f6ca0b9ed4230746dea9
SHA1 hash: bfd04ea9fbf669cd3488aeb01f880a4904745113
MD5 hash: ef0d49f39f8e308fcb03a7a4b4022235
humanhash: quiet-four-edward-alabama
File name:r.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'304'576 bytes
First seen:2021-05-31 18:28:34 UTC
Last seen:2021-05-31 19:41:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4ced21344a9d3b1ebc6b09de4b48c8cc (1 x Gozi)
ssdeep 24576:fFGFMfj+IyadfMKYA+OxbvWTJtg1195D9Jn+v:fFGmfwA+OxbvWHC9rJn+v
Threatray 322 similar samples on MalwareBazaar
TLSH A755CF613AC2F072C42224314F65D9F40B6EBC255F754A5B33E01F6F6E7CA929B22762
Reporter Anonymous
Tags:dll Gozi isfbv2 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
399
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163560/
Detection(s):
SecuriteInfo.com.ArtemisEF0D49F39F8E.29231.30247.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Replacing files
Deleting a recently created file
Creating a file in the %temp% directory
Creating a file
Launching a process
Sending a UDP request
Creating a file in the system32 subdirectories
Moving a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching a service
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/794856
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427252 Sample: r.dll Startdate: 31/05/2021 Architecture: WINDOWS Score: 84 32 roudinoden.club 2->32 34 cloudinoren.club 2->34 36 25 other IPs or domains 2->36 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 60 Writes or reads registry keys via WMI 8->60 62 Writes registry values via WMI 8->62 11 regsvr32.exe 8->11         started        14 iexplore.exe 1 92 8->14         started        16 cmd.exe 1 8->16         started        18 2 other processes 8->18 process6 signatures7 64 Writes or reads registry keys via WMI 11->64 66 Writes registry values via WMI 11->66 20 iexplore.exe 14->20         started        23 iexplore.exe 150 14->23         started        25 iexplore.exe 14->25         started        30 3 other processes 14->30 27 rundll32.exe 16->27         started        process8 dnsIp9 38 roudinoden.club 46.21.153.200, 49772, 49773, 49784 HVC-ASUS Netherlands 20->38 40 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49745, 49746 YAHOO-DEBDE United Kingdom 23->40 46 11 other IPs or domains 23->46 48 7 other IPs or domains 25->48 68 Writes registry values via WMI 27->68 42 40.101.12.130, 443, 49778, 49779 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->42 44 40.101.12.82, 443, 49766, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->44 50 10 other IPs or domains 30->50 signatures10
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 18:29:07 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwzgywda5vlfpsnst2xasb44suavttgc5pcw6lp7yginsdrt56sa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef
Gozi
+ 312 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210531-za9crkjbes/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
roudinoden.club
cloudinoren.club
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1306519/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163560/

Comments