MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
SHA3-384 hash: ec2935b39c031f091ccdabacd0db609b65a7c9ad8ded31b1610cfe30f936d2436e969a10fa51b8c86f95336abcb95e10
SHA1 hash: 32c33076ea6a24fdfca376338eeaf93e87ac948c
MD5 hash: c3df79dafe7b52af61c291acb22bd79e
humanhash: lion-freddie-mars-four
File name:xspcd8 (2).dll
Download: download sample
Signature Gozi
Create hunting rule
File size:220'160 bytes
First seen:2020-12-03 10:46:08 UTC
Last seen:2020-12-03 12:53:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e52c56c636c7f737590c4c91e79b2a8e (5 x Gozi)
ssdeep 3072:tO+b0Q1QZQ6QuQP1pNOtcR1sGFHlx5QN0SGrgv+iwTrH9ZZSTPCEyS+Vja8ziryL:txD1bOaR1Hbg0vr2+3rZSDCFZW8u2
Threatray 111 similar samples on MalwareBazaar
TLSH 9B24C0643194C07AE40714B58C06C7A196B93D706B66AECB7BC9AE3B9F305A5BF343C1
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106583/
Detection(s):
SecuriteInfo.com.ArtemisC3DF79DAFE7B.30202.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Result
Gathering data
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/554553
Signature
Creates a COM Internet Explorer object
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326375 Sample: xspcd8 (2).dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected  Ursnif 2->21 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 82 2->9         started        process3 signatures4 23 Writes or reads registry keys via WMI 6->23 25 Writes registry values via WMI 6->25 27 Creates a COM Internet Explorer object 6->27 11 rundll32.exe 6->11         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        17 iexplore.exe 36 9->17         started        process5
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 10:46:36 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
Gozi
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
Gozi
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 101 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-nxpb9f7n36/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
14d2c41d38be178b7f382ddeaf61d74ca22ea24a4cf78d61fa39da57674f5fc5
MD5 hash:
ff4cbbff9e04ec2d32a1d81b3b021c27
SHA1 hash:
0466d0986fce2c43d4369c91814c5b08d057a5c0
Link:
https://www.unpac.me/results/cc80e0a8-3085-41b4-b3a1-1cfa8183fd9c/
SH256 hash:
565b18e17db98d9820dfd504ad5239806734c7e434fe605e5caaf2b4619036fd
MD5 hash:
32552af170552def743ad513a911babf
SHA1 hash:
18d330e627cc64dccec350d61581c6ddf3c07c6f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/cc80e0a8-3085-41b4-b3a1-1cfa8183fd9c/
Parent samples :
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
SH256 hash:
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
MD5 hash:
c3df79dafe7b52af61c291acb22bd79e
SHA1 hash:
32c33076ea6a24fdfca376338eeaf93e87ac948c
Link:
https://www.unpac.me/results/cc80e0a8-3085-41b4-b3a1-1cfa8183fd9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106583/

Comments