MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f
SHA3-384 hash: d3a4b4ede96a8c083ec9ab091687b32cd12e7d6094b41d6267c67300705cef17e42ae718b19d5a1ea4b419e6277b337a
SHA1 hash: 2fb95c18197d28fa2f06256320db4b277e126671
MD5 hash: 826e27ebe4950a57b944757673b9a93a
humanhash: maryland-delta-cold-eleven
File name:611242387c2b3.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:493'056 bytes
First seen:2021-08-10 09:11:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c8043e6c49fd266fe13abb78b85e530c (1 x Gozi)
ssdeep 6144:5V6cQ5JWuSGbFMmNMiYrA9JnAURrQS4e25BbUV7TXSwtiYRhicrBn25ywXCu16AB:5VGJHd5MKbfrme25BAvsYOJywyu8wXQ
Threatray 444 similar samples on MalwareBazaar
TLSH T1E9A47A143645ED32D1E326320B55E5A5635E30752B3440CF3AEC7EAE2FA55E32A3A34B
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177872/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aaf52769-9ad7-4e3e-af40-dd11f24f06b3
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/830034
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrog7kuuozfhapxwicmai373wjhoxwa3ynqpgh2edoeevdg5vzpq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
Gozi
6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Gozi
9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
Gozi
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
Gozi
+ 434 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210810-5p7jf2akbj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
boyuleruner.online
coyuleruner.online
Unpacked files
SH256 hash:
81430da7346138bb5aec4ebfb8d79d4662a213ca4ba0d6f73a02a3276fecd3f6
MD5 hash:
e65fb2bd1736061b335608c70e4cd203
SHA1 hash:
af3c286b9117dd0c94c10c5142e4237ffd80791a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6217dda-7da4-492a-95fe-e715a2dc788e/
SH256 hash:
c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f
MD5 hash:
826e27ebe4950a57b944757673b9a93a
SHA1 hash:
2fb95c18197d28fa2f06256320db4b277e126671
Link:
https://www.unpac.me/results/d6217dda-7da4-492a-95fe-e715a2dc788e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177872/

Comments