MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
SHA3-384 hash: 6838a29232aa86b1d4e8e268ac33bc72241e804bc4973308d278037b72fd29234f68e34b623f56085acfecaae1ee185c
SHA1 hash: cb4875231e231158f462ed2ba0ef2f0b15d24645
MD5 hash: 3ebfd3e6d5d784a7fef7032b4d1a82fe
humanhash: magnesium-nitrogen-apart-batman
File name:2nd-payload.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:253'952 bytes
First seen:2023-01-11 14:44:37 UTC
Last seen:2023-01-11 16:29:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9b7a3496c1996bc3e714e5002dad5350 (1 x Gozi)
ssdeep 3072:WkYlN6Rbs4dOVb3rfeYVNhwZ5gdjMdMm1Z05k5Pryy7NXQ5VWe/y/hMM694JycnH:YOFEVGYVXogd6Mm1qWRcshMMEQBn
Threatray 1'473 similar samples on MalwareBazaar
TLSH T109449E10EA61C03DF5BB12FC99BA937CA52C7EA0573484CB52D82AEE47295E4EC31357
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:brt dll Gozi secondstage Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351975/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63becb6f0fdf1633326e972e/reports/56619d00-ffdb-451d-92f8-d52d7db1bbce/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4740de50-b997-4f2c-9b5a-baafdf9b7bfc
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149646
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782377 Sample: 2nd-payload.bin.dll Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 3 other signatures 2->103 9 loaddll32.exe 7 2->9         started        12 mshta.exe 2->12         started        14 mshta.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 131 Writes to foreign memory regions 9->131 133 Allocates memory in foreign processes 9->133 135 Modifies the context of a thread in another process (thread injection) 9->135 137 3 other signatures 9->137 18 control.exe 9->18         started        21 regsvr32.exe 1 6 9->21         started        23 cmd.exe 1 9->23         started        34 2 other processes 9->34 25 powershell.exe 12->25         started        27 powershell.exe 14->27         started        29 powershell.exe 16->29         started        32 powershell.exe 16->32         started        process5 file6 105 Changes memory attributes in foreign processes to executable or writable 18->105 107 Injects code into the Windows Explorer (explorer.exe) 18->107 109 Writes to foreign memory regions 18->109 111 Allocates memory in foreign processes 18->111 36 explorer.exe 18->36 injected 113 Writes or reads registry keys via WMI 21->113 115 Writes registry values via WMI 21->115 39 control.exe 21->39         started        41 rundll32.exe 6 23->41         started        117 Modifies the context of a thread in another process (thread injection) 25->117 119 Maps a DLL or memory area into another process 25->119 121 Creates a thread in another existing process (thread injection) 25->121 49 3 other processes 25->49 51 3 other processes 27->51 93 C:\Users\user\AppData\...\ypjh0bvj.cmdline, Unicode 29->93 dropped 44 csc.exe 29->44         started        53 2 other processes 29->53 55 3 other processes 32->55 123 System process connects to network (likely due to code injection or exploit) 34->123 47 control.exe 34->47         started        signatures7 process8 dnsIp9 125 Disables SPDY (HTTP compression, likely to perform web injects) 36->125 57 RuntimeBroker.exe 36->57 injected 59 rundll32.exe 39->59         started        95 91.215.85.143, 49706, 49707, 49708 PINDC-ASRU Russian Federation 41->95 127 Writes to foreign memory regions 41->127 129 Writes registry values via WMI 41->129 61 control.exe 41->61         started        77 C:\Users\user\AppData\Local\...\ypjh0bvj.dll, PE32 44->77 dropped 63 cvtres.exe 44->63         started        65 rundll32.exe 47->65         started        79 C:\Users\user\AppData\Local\...\hzpepmkn.dll, PE32 49->79 dropped 81 C:\Users\user\AppData\Local\...\eecqybl4.dll, PE32 49->81 dropped 69 2 other processes 49->69 83 C:\Users\user\AppData\Local\...\wohtagge.dll, PE32 51->83 dropped 85 C:\Users\user\AppData\Local\...\k4ukovr5.dll, PE32 51->85 dropped 71 2 other processes 51->71 87 C:\Users\user\AppData\Local\...\zgzerqvf.dll, PE32 53->87 dropped 67 cvtres.exe 53->67         started        89 C:\Users\user\AppData\Local\...\zgxhnffj.dll, PE32 55->89 dropped 91 C:\Users\user\AppData\Local\...\p3niradi.dll, PE32 55->91 dropped 73 2 other processes 55->73 file10 signatures11 process12 process13 75 rundll32.exe 61->75         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 14:09:32 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm5wpkmaxkjbmjpm34ec2ummoou7qdhbwlkpikfw5filecuwrc5q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
Gozi
0f997ba8de3188cba8ba064480ee5171c3e1dc322f3aac97ecd4aa4617991c7b
Gozi
54e1a7dc75b550786afcb0601020a2c50739347541cc8cb969acf76b90222458
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
Gozi
86a8a3bcc0a4753d4b21de458d5750af3e9e6301c58e6449404488ff873982a0
Gozi
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
Gozi
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
Gozi
f0b465a712cebb5906d45724f884fa0e43cb7cbc954babbad0f1d676af2db479
Gozi
+ 1'463 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/230111-r4qmsshb41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
config.edge.skype.com
91.215.85.143
mikoprikodx.com
boxidoxyx.com
91.215.85.174
Unpacked files
SH256 hash:
95a9d3684a37fe970c46e62eff081e0566bcc0bed65225c19504a720d28d4f79
MD5 hash:
21c75e25a01ab509e08e221e848437f0
SHA1 hash:
c2d65f392dd8a827a9f79023b5a81beae05941d9
Link:
https://www.unpac.me/results/cdd00aa4-8f38-4125-b059-3ef3cfcf4c2e/
SH256 hash:
5e75a2300d22bc81ce007b662cbfdbda2becaf7bce13dfc6035497b99c1906ac
MD5 hash:
62f840fe80cfe22726f76073c56a271a
SHA1 hash:
01d30d2d323cd6a987f3b4ad1d8531b85ce096fe
Link:
https://www.unpac.me/results/cdd00aa4-8f38-4125-b059-3ef3cfcf4c2e/
SH256 hash:
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
MD5 hash:
3ebfd3e6d5d784a7fef7032b4d1a82fe
SHA1 hash:
cb4875231e231158f462ed2ba0ef2f0b15d24645
Link:
https://www.unpac.me/results/cdd00aa4-8f38-4125-b059-3ef3cfcf4c2e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb3b67a980ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351975/

Comments