MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
SHA3-384 hash: cc1f10409ec687b425d9e332427ae733f50229b6b5e09068e77ceee5d06a4cf0e6cf8531d0cb844003c3529fea83a34a
SHA1 hash: 2d5b79b6fa18163032f1e6e073d8eba48f41fbcf
MD5 hash: 3a1ebc82a5c0c8eccc290f16d7082c9d
humanhash: tennessee-wolfram-skylark-red
File name:con3cti0n.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:194'976 bytes
First seen:2020-11-24 07:46:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 989e79450b21f24b6ea8c714acd7ae59 (1 x Gozi)
ssdeep 3072:F8RuEWNWjJnNhNtFGKyZg5urOh/aVG4XL6UzQjMsxhIgeyCTyVv+GLo:AuRUJnfN2KqG0Gw6HJX0yV2GE
Threatray 28 similar samples on MalwareBazaar
TLSH 1C14D0076CD6B0F4DAFF84BFA4FAB7DB8A5B8319454CABBA3B5C04D89574141104E2B8
Reporter JAMESWT_WT
Tags:dll Gozi isfb tributario Ursnif

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/545754
Signature
Creates a COM Internet Explorer object
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321972 Sample: con3cti0n.dll Startdate: 24/11/2020 Architecture: WINDOWS Score: 84 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected  Ursnif 2->38 40 2 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 42 Writes or reads registry keys via WMI 10->42 44 Writes registry values via WMI 10->44 46 Creates a COM Internet Explorer object 10->46 15 iexplore.exe 2 70 13->15         started        process6 process7 17 iexplore.exe 5 168 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49735, 49736 FASTLYUS United States 17->24 26 www.msn.com 17->26 32 7 other IPs or domains 17->32 28 ocsp.sca1b.amazontrust.com 13.224.195.167, 49760, 49761, 80 AMAZON-02US United States 20->28 30 192.168.2.1 unknown unknown 20->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b/
Threat name:
Win32.Trojan.GoziIfsb
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 07:47:05 UTC
File Type:
PE (Dll)
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
8a6d1c13983162c59ba681bcbad0b8c0b9cbf87fb06750125bb97172b7206605
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
Gozi
+ 18 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201124-3b9kxkgyg6/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
MD5 hash:
3a1ebc82a5c0c8eccc290f16d7082c9d
SHA1 hash:
2d5b79b6fa18163032f1e6e073d8eba48f41fbcf
Link:
https://www.unpac.me/results/57e00712-0bae-47b5-b4d7-9e94aab01817/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ursnif
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/848175/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/848177/
  
URLhaus
https://urlhaus.abuse.ch/url/848178/
  
URLhaus
https://urlhaus.abuse.ch/url/848176/
  
URLhaus
https://urlhaus.abuse.ch/url/848179/

Comments