MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615
SHA3-384 hash: e100df2a39996e5f221f4bf57c71ad1a4feb4303930463ac4386ecd3dbdc969fe6bce62e9f4038d809dbf42d4172fd87
SHA1 hash: 101b89112be002d90e39b62496e79146ab8fc87a
MD5 hash: 25507f89abd96f37d80e0596cd834e26
humanhash: pip-king-illinois-fifteen
File name:pan0ramic0.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:245'104 bytes
First seen:2021-01-22 06:46:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae5a6629a40271320ab3ee0682a2bc43 (1 x Gozi)
ssdeep 3072:i7l4qoeT6dSdCbTg4/kvPYQAMb5OkwRm8BThNb9Zm7FKUp9Qp3WaC7Be2egwqQXE:i7WqorYUePYQxR8ZhNkN9HaV3HX7xuh
TLSH 2834AE42F4942473F36BACFD9294A7D25B17D63A1F4EAFCB36CC09D188B62416932318
Reporter JAMESWT_WT
Tags:dll enigaseluce Gozi isfb Ursnif

Code Signing Certificate

Organisation:VeriSign Time Stamping Services Signer - G2
Issuer:VeriSign Time Stamping Services CA
Algorithm:sha1WithRSAEncryption
Valid from:Jun 15 00:00:00 2007 GMT
Valid to:Jun 14 23:59:59 2012 GMT
Serial number: 3825D7FAF861AF9EF490E726B5D65AD5
Intelligence: 44 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Downloads.zip
Verdict:
Malicious activity
Analysis date:
2021-01-22 06:35:56 UTC
Tags:
loader trojan
Link:
https://app.any.run/tasks/20f023a9-01e3-4f78-8f3d-fb57fdae7173

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113455/
Detection(s):
SecuriteInfo.com.Generic.mg.25507f89abd96f37.21038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/588014
Signature
Machine Learning detection for sample
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343034 Sample: pan0ramic0.jpg.dll Startdate: 22/01/2021 Architecture: WINDOWS Score: 64 34 Yara detected  Ursnif 2->34 36 Machine Learning detection for sample 2->36 38 PE file has a writeable .text section 2->38 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 5 8->10         started        13 cmd.exe 1 8->13         started        signatures5 40 Writes or reads registry keys via WMI 10->40 42 Writes registry values via WMI 10->42 15 iexplore.exe 1 83 13->15         started        process6 process7 17 iexplore.exe 145 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49754, 49755 FASTLYUS United States 17->24 26 www.msn.com 17->26 32 8 other IPs or domains 17->32 28 ocsp.sca1b.amazontrust.com 143.204.214.142, 49798, 49799, 80 AMAZON-02US United States 20->28 30 192.168.2.1 unknown unknown 22->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 06:47:22 UTC
File Type:
PE (Dll)
AV detection:
5 of 46 (10.87%)
Threat level:
  1/5
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker ransomware trojan
Link:
https://tria.ge/reports/210122-n53pypw49j/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615
MD5 hash:
25507f89abd96f37d80e0596cd834e26
SHA1 hash:
101b89112be002d90e39b62496e79146ab8fc87a
Link:
https://www.unpac.me/results/b230f9b5-2062-4aaf-9fb3-45eccc57ca72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/113455/
  
URLhaus
https://urlhaus.abuse.ch/url/973670/
  
Delivery method
Distributed via web download

Comments