MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
SHA3-384 hash: 8603ac4ab4f15216f9b048973e0e70d3cdbcc5df002abd72ece1e7e07d5f703d297f3c7299a6d81de1b979c8405177cb
SHA1 hash: b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
MD5 hash: e07d47927df912332bc84b3f98586091
humanhash: river-florida-fish-wisconsin
File name:2200.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:610'304 bytes
First seen:2021-02-12 00:44:35 UTC
Last seen:2021-02-12 18:45:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a6d55890f5859d9f8802dc75c82d2c1d (1 x Gozi)
ssdeep 6144:Gp/yi90cYdmY9BRYZxhYVnacWeBg4luVJpVG0qMdRWGzwa1NGr43FUHcI3Gs3OZD:Yai45Taefl2pEQRWGzPMr418GwaPIMT
Threatray 3 similar samples on MalwareBazaar
TLSH 47D402313BD090AAC452993C4425FEA8C0AB7D9B9A29517371FF7F1F237626142AEB01
Reporter p5yb34m
Tags:dll Gozi ifsb


Avatar
p5yb34m
Sample URL:
https://vivid-memoirs.com/wp-content/plugins/duplicator/views/help/2200.dll

C2s:
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116866/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36327180.15403.14000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606395
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 352230 Sample: 2200.dll Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 66 c56.lepini.at 2->66 68 resolver1.opendns.com 2->68 70 api3.lepini.at 2->70 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 5 other signatures 2->86 10 loaddll32.exe 1 2->10         started        12 mshta.exe 19 2->12         started        signatures3 process4 signatures5 15 regsvr32.exe 10->15         started        18 cmd.exe 1 10->18         started        98 Suspicious powershell command line found 12->98 20 powershell.exe 12->20         started        process6 file7 100 Detected Gozi e-Banking trojan 15->100 102 Writes to foreign memory regions 15->102 104 Allocates memory in foreign processes 15->104 108 4 other signatures 15->108 23 control.exe 15->23         started        26 iexplore.exe 1 87 18->26         started        58 C:\Users\user\AppData\...\ljarxop3.cmdline, UTF-8 20->58 dropped 60 C:\Users\user\AppData\Local\...\huo1uow1.0.cs, UTF-8 20->60 dropped 106 Compiles code for process injection (via .Net compiler) 20->106 28 explorer.exe 20->28 injected 30 csc.exe 20->30         started        33 csc.exe 20->33         started        35 conhost.exe 20->35         started        signatures8 process9 file10 88 Changes memory attributes in foreign processes to executable or writable 23->88 90 Writes to foreign memory regions 23->90 92 Allocates memory in foreign processes 23->92 96 3 other signatures 23->96 37 rundll32.exe 23->37         started        39 iexplore.exe 164 26->39         started        42 iexplore.exe 29 26->42         started        44 iexplore.exe 29 26->44         started        46 iexplore.exe 29 26->46         started        94 Disables SPDY (HTTP compression, likely to perform web injects) 28->94 48 cmd.exe 28->48         started        50 RuntimeBroker.exe 28->50 injected 62 C:\Users\user\AppData\Local\...\ljarxop3.dll, PE32 30->62 dropped 52 cvtres.exe 30->52         started        64 C:\Users\user\AppData\Local\...\huo1uow1.dll, PE32 33->64 dropped 54 cvtres.exe 33->54         started        signatures11 process12 dnsIp13 72 img.img-taboola.com 39->72 74 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49732, 49733 YAHOO-DEBDE United Kingdom 39->74 78 10 other IPs or domains 39->78 76 api10.laptok.at 35.228.31.40, 49762, 49763, 49764 GOOGLEUS United States 42->76 56 conhost.exe 48->56         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 21:24:55 UTC
File Type:
PE (Dll)
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zscjxck2bsbdp6a4up7ghfmss4j7w6z7bj3uju65ypfqr6puguoq._file
Verdict:
unknown
Similar samples:
ae0d3dbeab58e9b9b68ab6087eb5b30ace6f8892af4a85034f77ae3592271e42
Gozi
cf813a86d30ddd0c2ca59f73334fffd241bfd31eddfe30dc2e73d5b29ae752d1
Gozi
ff92eb5433354ad51ba6c586ed91e8b69f32271b0d523352c87f8ae4d075151b
Gozi
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2200 banker trojan
Link:
https://tria.ge/reports/210212-q6lgake2lj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Unpacked files
SH256 hash:
9147de3733108479d832b156fa0ef8db963faf054b3093e68279a868a314b93d
MD5 hash:
8056ebc61e29d1486f2393afe9489734
SHA1 hash:
73935e3f3ebc476f7e7e2ec7225ed173ac4a2c08
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/52ece612-dcd7-4500-b3af-490086e2a0b5/
Parent samples :
874342cb9571e9c05d9e29b415c42767df9ca677abfd9867ad23f966cdc6e80a
cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7
SH256 hash:
cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
MD5 hash:
e07d47927df912332bc84b3f98586091
SHA1 hash:
b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
Link:
https://www.unpac.me/results/52ece612-dcd7-4500-b3af-490086e2a0b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1001736/
Cape
Cape
https://www.capesandbox.com/analysis/116866/
  
URLhaus
https://urlhaus.abuse.ch/url/999478/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1001765/
  
URLhaus
https://urlhaus.abuse.ch/url/1001781/

Comments