MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
SHA3-384 hash:	b1651fab872db628012892042dc0d31c8161d77e76ea42b47fca182edeeb055d0c0e1924d3eba326808f16bbfb22e977
SHA1 hash:	64240992ba99ae27b0bb4fe277a95524a4b139db
MD5 hash:	c788f8e7a2d0311297bd198ca9d05ec8
humanhash:	mirror-sad-freddie-hotel
File name:	Client.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	432'128 bytes
First seen:	2023-09-28 15:02:24 UTC
Last seen:	2023-10-03 06:23:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e6fb850d2bff611dd00076ce8bb92a4c (1 x Gozi)
ssdeep	6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx
Threatray	262 similar samples on MalwareBazaar
TLSH	T144946CD9B4418032D1B314351E38EE734A6E7C60CD645ECBA7D4F97A8B374C2A73AA16
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	0680968696969a9a (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

Vendor Threat Intelligence

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/451806/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.11468.11486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Creating a window

Searching for the window

Creating a file in the %temp% directory

Creating a file

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Running batch commands

Setting browser functions hooks

Possible injection to a system process

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Сreating synchronization primitives

Stealing user critical data

Unauthorized injection to a system process

Unauthorized injection to a browser process

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/651595a732ffdb7a7a17a8ba/reports/8860726d-b8c4-4540-aad0-536cdfa88df3/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c84f5f15-722a-482d-9741-03586980fa99

Result

Threat name:

Ursnif, Strela Stealer

Detection:

malicious

Classification:

bank.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1315939

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Changes memory attributes in foreign processes to executable or writable

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Found malware configuration

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Snort IDS alert for network traffic

Suspicious powershell command line found

System process connects to network (likely due to code injection or exploit)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Yara detected Ursnif

Yara detected Strela Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

gozi

Link:

https://mwdb.cert.pl/sample/bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-09-28 15:01:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x4rx6zbm2be34hql42g6b455n3mxxz6qkbm7wkbf7fh5bjnp5p6q._file

Verdict:

malicious

Label(s):

gozi

Gozi

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

Gozi

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

Gozi

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

Gozi

90dcd0a0441c0bfc7b488901ec4c5cd884e7a7e983a461aa1da113f973ee8ff9

Gozi

a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d

Gozi

+ 252 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5050 banker dave isfb trojan

Link:

https://tria.ge/reports/230928-se1l5sdf54/

Behaviour

Dave packer

Gozi

Malware Config

C2 Extraction:

netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com

Unpacked files

SH256 hash:

a121c2d98a7c8a815d48ae9201956f6489ff41b76af7a25c30e7cfaefa799c88

MD5 hash:

f21a13c84c2b17685ff9159eaf9d8e08

SHA1 hash:

c750d2efc96d0f41ffc776b8b257d7ff81a71a57

Link:

https://www.unpac.me/results/9622e520-4356-4d01-853e-ba0cd5b5e355/

SH256 hash:

62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

MD5 hash:

f2fce2e4bcb49ba32df2a5d4bb8c6644

SHA1 hash:

c53eba835d111b487b3550ebeac4e556b7c58e75

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/9622e520-4356-4d01-853e-ba0cd5b5e355/

Parent samples :

0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53
a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d
5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587
64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4
3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

SH256 hash:

4bd1f52eb03c84f3f4dce6cb60cee79c61ac4858988a9b0b22fbb5a16801110c

MD5 hash:

b56288e9cceb2933a9e8cf8e96156511

SHA1 hash:

7534a20eac85bbef03fa66038cdb50f4d1ad18ea

Link:

https://www.unpac.me/results/9622e520-4356-4d01-853e-ba0cd5b5e355/

SH256 hash:

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

MD5 hash:

c788f8e7a2d0311297bd198ca9d05ec8

SHA1 hash:

64240992ba99ae27b0bb4fe277a95524a4b139db

Link:

https://www.unpac.me/results/9622e520-4356-4d01-853e-ba0cd5b5e355/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf237f642cd0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_indirect_function_call_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451806/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample