MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7
SHA3-384 hash: 62a30e9d1bebf66bfb39de3fee7930084c68d8258232204957e4ce1c1b75ef7e543164bb3456b173cb5f8799e665a33e
SHA1 hash: 694ecc170b043fe3bcca0e79f93221046685b49c
MD5 hash: 3d7f01b8215fb447a4786b40f937229c
humanhash: football-arkansas-minnesota-carpet
File name:Ivan.xls
Download: download sample
Signature Gozi
Create hunting rule
File size:764'416 bytes
First seen:2021-06-09 18:52:31 UTC
Last seen:2021-06-09 19:40:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6cd1f53d4cae43713389ad164e50d9b9 (1 x Gozi)
ssdeep 12288:PGSo5NbVfaqzIIjF70wfPcS8jRjfcnbKIalaiSZ+P56IRmAAHtdGNLWdzriRHoc9:PGSo3bVCqzIIjF70wncTjRDcnbTaWIg5
Threatray 341 similar samples on MalwareBazaar
TLSH 90F4AD0179C5D032D13215325E55F2F11BAEBC300E245AAF77D82EBFAF786824A2576B
Reporter bigmacjpg
Tags:dll Gozi


Avatar
bigmacjpg
Dropped by 0ce5ac71f0b4fcfed4daa9f862cdfeedae78f9195fe05123b895ad63c218d31b

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165701/
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.Ursnif.20245.7060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/799783
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-06-09 18:53:08 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2slssb7exhhjqirnyc4yzk4i4236m7psdpngqgfnzksddbgwdtq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01fd38efd6b413c52b73ae4bdb563472a37a2ec440a8441a86ed11f4d8f4c5a0
Gozi
1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
Gozi
20c09f055323ec942cb40efc13c0ff06bb7c60f44087e9b8a4a4744bf80935ed
Gozi
478be2a2eff77ac1ad7ff5e048bfb795ff7afd323f8e95b769ad26c40e582f38
Gozi
8f8268c13ddc484a180cff0dd8e764e328897e7a978d0f45e9c26de57f233106
Gozi
9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b
Gozi
aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Gozi
ab2ac6bebb2713759ce6e3d5db80fe8ccd4bb752199d9d71ce74a67ed8cf0c3b
Gozi
d5a501f4cc25f94df7c0b7546a1eba7798ce4d28f4052332429d52329e8f34dc
Gozi
f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
Gozi
+ 331 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3500 banker trojan
Link:
https://tria.ge/reports/210609-15myhs2yf6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
authd.feronok.com
app.bighomegl.at
Unpacked files
SH256 hash:
3c0a56966aa51d0fde45d56a0e07708ff0bf997a2a8e1134f3df4b81881a2493
MD5 hash:
2d8b5258704e549689002ea6f9ef6ecf
SHA1 hash:
d67b3c7f26d8409418cf7989c9110a89a62df22c
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/36c8c7ee-0277-4f4c-8905-33f35e045111/
SH256 hash:
bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7
MD5 hash:
3d7f01b8215fb447a4786b40f937229c
SHA1 hash:
694ecc170b043fe3bcca0e79f93221046685b49c
Link:
https://www.unpac.me/results/36c8c7ee-0277-4f4c-8905-33f35e045111/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165701/

Comments