MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
SHA3-384 hash: b735a0174891b41eb3347ed356f277d768040e362b2ecbe6499c96ea5377b1c0e875349f270b15cdb644c3084397603c
SHA1 hash: 2748f39c430664f6c4c9c1700f1b7d05908d8dfd
MD5 hash: dd165240f5a2de250727eb47e458d7db
humanhash: lemon-jig-magazine-table
File name:62a8495f3b293.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:446'464 bytes
First seen:2022-06-14 08:40:34 UTC
Last seen:2022-06-14 10:00:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d31c477cc159d9752f6e8ef56c0d2af9 (2 x Gozi)
ssdeep 6144:OgM9+UjmlPHBQKICVMLSzJvvsb2Z10DDnapRYcri8f4XAIrIiG:OL9+JPHBcCVMLSzJvvQ2Z16a7gXAIHG
Threatray 603 similar samples on MalwareBazaar
TLSH T1A294BF06EE3BD678C7B9553FD616321B26A77038EE38D0E78353946A202589DA33D707
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:dll Gozi isfb ITA TNT Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
717
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279694/
Detection(s):
SecuriteInfo.com.ArtemisDD165240F5A2.740.22159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62a849ba96efd87b05f7c021/reports/2b1f38d4-c598-4777-945f-32bdfda7a233/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2913a489-4924-42b3-b84f-1834260d98f2
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1012690
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 08:41:09 UTC
File Type:
PE (Dll)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zy6umwqttnwhzivtiffaqiylkcy6fy2bgearhlnetdbk5toodwla._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00f830a0748680a63981f427ece7c3f4a989d97431dc1f4e78706eb8987a8286
Gozi
2d83e172a42b032b32606b203f2a1a9736acfd86e76ede8ff57b3292c035d139
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
Gozi
f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Gozi
fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959
Gozi
+ 593 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker suricata trojan
Link:
https://tria.ge/reports/220614-klez1shba6/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.226.15
109.230.199.114
xmhomestilesh.at
geodezhols.at
185.189.151.35
194.76.225.96
Unpacked files
SH256 hash:
9fe764ec2cf232b5cf3afbdac83da4846ab4a7e11e5fda936097eec79bffa72b
MD5 hash:
00c5cefd7b8d986960d52fb37aad1f38
SHA1 hash:
fabf6f9f6890f94725c9556b671f62816b657b35
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c40997a-4def-4d95-b78d-9820ddf28f94/
Parent samples :
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
SH256 hash:
eed154684803be42afd2d79e7247fc955a1acadf0409d6eb3d179e34ce8fa0db
MD5 hash:
9dee25ea8eecdb999dcd5ab5160ed378
SHA1 hash:
7e5f3e42e100ecb4aca65bedfdeeae671f3dbf98
Link:
https://www.unpac.me/results/1c40997a-4def-4d95-b78d-9820ddf28f94/
SH256 hash:
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
MD5 hash:
dd165240f5a2de250727eb47e458d7db
SHA1 hash:
2748f39c430664f6c4c9c1700f1b7d05908d8dfd
Link:
https://www.unpac.me/results/1c40997a-4def-4d95-b78d-9820ddf28f94/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce3d465a139b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279694/

Comments