MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
SHA3-384 hash: 7346d580a59a73d53fbb2d861ef7f352194c80de496546631ee40ebce62d1a4c7cabc6be55a603ce9cce0f04009b8703
SHA1 hash: 64bf265931d406c6c1632c5a6a16cbf335b1202e
MD5 hash: 7012fcbeda3bebbceef18eba8e2a78db
humanhash: idaho-stream-oxygen-west
File name:d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
Download: download sample
Signature Gozi
Create hunting rule
File size:373'760 bytes
First seen:2020-11-10 11:41:40 UTC
Last seen:2024-07-24 21:38:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39e1df0ca9d5d6a25857dace6555995f (3 x Gozi)
ssdeep 6144:k50rh7YJXn3YlZmKci5C6AKpDfCMDRV+8h1AFV:BVMJXnolZmzJNKprRVNAn
Threatray 5 similar samples on MalwareBazaar
TLSH FD840211F4EDC475E52D46FA8896C791127ABDF92D2905833BC09E8D4A32AF1CB6E343
Reporter seifreed
Tags:Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.19098.3591.9878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528498
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect virtualization through RDTSC time measurements
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313351 Sample: H58f3VmSsk Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 10 other signatures 2->76 12 H58f3VmSsk.exe 2 6 2->12         started        16 Chaklper.exe 1 2->16         started        process3 file4 56 C:\Users\user\AppData\...\Chaklper.exe, data 12->56 dropped 110 Detected Gozi e-Banking trojan 12->110 112 Detected unpacking (changes PE section rights) 12->112 114 Detected unpacking (overwrites its own PE header) 12->114 124 2 other signatures 12->124 18 cmd.exe 1 12->18         started        116 Writes to foreign memory regions 16->116 118 Allocates memory in foreign processes 16->118 120 Modifies the context of a thread in another process (thread injection) 16->120 122 Maps a DLL or memory area into another process 16->122 20 svchost.exe 1 16->20         started        signatures5 process6 signatures7 23 cmd.exe 1 18->23         started        25 conhost.exe 18->25         started        86 Modifies the context of a thread in another process (thread injection) 20->86 88 Maps a DLL or memory area into another process 20->88 90 Creates a thread in another existing process (thread injection) 20->90 process8 process9 27 Chaklper.exe 1 23->27         started        signatures10 102 Detected Gozi e-Banking trojan 27->102 104 Detected unpacking (changes PE section rights) 27->104 106 Detected unpacking (overwrites its own PE header) 27->106 108 7 other signatures 27->108 30 svchost.exe 27->30         started        process11 signatures12 126 Detected Gozi e-Banking trojan 30->126 128 Injects code into the Windows Explorer (explorer.exe) 30->128 130 Writes to foreign memory regions 30->130 132 3 other signatures 30->132 33 explorer.exe 3 3 30->33 injected process13 dnsIp14 58 korats.com 199.242.177.60, 49724, 80 OMD3US United States 33->58 60 vvservop.at 33->60 62 5 other IPs or domains 33->62 78 Tries to steal Mail credentials (via file access) 33->78 80 Changes memory attributes in foreign processes to executable or writable 33->80 82 Writes to foreign memory regions 33->82 84 5 other signatures 33->84 37 Chaklper.exe 1 33->37         started        40 cmd.exe 2 33->40         started        42 cmd.exe 1 33->42         started        44 7 other processes 33->44 signatures15 process16 signatures17 92 Writes to foreign memory regions 37->92 94 Allocates memory in foreign processes 37->94 96 Modifies the context of a thread in another process (thread injection) 37->96 100 2 other signatures 37->100 46 svchost.exe 37->46         started        98 Uses nslookup.exe to query domains 40->98 49 nslookup.exe 1 40->49         started        52 conhost.exe 40->52         started        54 conhost.exe 42->54         started        process18 dnsIp19 134 Modifies the context of a thread in another process (thread injection) 46->134 136 Maps a DLL or memory area into another process 46->136 138 Creates a thread in another existing process (thread injection) 46->138 64 222.222.67.208.in-addr.arpa 49->64 66 resolver1.opendns.com 49->66 68 myip.opendns.com 49->68 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:39:12 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ajwgrpf3g3a5lllr2v53geh6q7znit37qwbqettpwuyldrs225a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0fefdfbc442c4667670b1b9001f1b586dbf7d7eeb13bcaf21af53984d5ad14a6
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
73a0eff4b25b824af4b6600db0f637f991b45b0945c9385fd6e7eca289b7e5ed
Gozi
b0d9f78957650a0bc42b0bf646e3d158f713de64ee5e6ab395cf777e93a7a240
Gozi
e5420c67e6613cf86f490123904ea3ae05187932f3282b8fa25d94959b0a5bc2
Gozi
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:ursnif banker persistence spyware trojan
Link:
https://tria.ge/reports/201110-vfa8yr1kp2/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Gozi, Gozi IFSB
Ursnif, Dreambot
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments