MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
SHA3-384 hash: d337976003ed8931691b1999dc5b17633e71c3ec1aaaf6114e1f4ff4c00a79272cef4af4566526477b4ce82bf38a58ef
SHA1 hash: 6ab2471aad73f3e59f721c8d3b662797cd0780f6
MD5 hash: 7441da3548290766203fb50e1da65983
humanhash: september-thirteen-robin-enemy
File name:update_canon_relise_9384848.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:245'760 bytes
First seen:2021-03-20 02:06:53 UTC
Last seen:2021-03-20 07:14:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e40d187c9305b8e1a4c2b8b45c147ade (3 x ArkeiStealer, 2 x Gozi, 2 x DanaBot)
ssdeep 6144:hFpyQs+fdJV2dwARZrk4XQCxqikuVxz9gDBkL+PMtY:tyZ+FJV2dwAbkCbUikiklj
TLSH 11347D00A7A0C034F5BB56F4897983EAB9B97AB05B2442CB92D52BEE17342F4DC31757
Reporter nao_sec
Tags:Gozi RigEK Ursnif


Avatar
nao_sec
Dropped from http[:]//milagress.chimkent[.]su//update_canon_relise_9384848.zip

Intelligence

File Origin
# of uploads :
3
# of downloads :
435
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0euj4.exe
Verdict:
Malicious activity
Analysis date:
2021-03-20 01:49:16 UTC
Tags:
trojan loader smoke gozi ursnif dreambot evasion stealer
Link:
https://app.any.run/tasks/6006e447-79a6-42d3-81e0-f9fb199e233b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125735/
Detection(s):
SecuriteInfo.com.Troj.Kryptik-TR.8651.7861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Creating a window
DNS request
Searching for the window
Connection attempt
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6faad588-99df-41a7-8ed1-ee7f17998065
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646707
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372321 Sample: update_canon_relise_9384848.exe Startdate: 20/03/2021 Architecture: WINDOWS Score: 100 40 resolver1.opendns.com 2->40 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 7 other signatures 2->48 8 update_canon_relise_9384848.exe 2->8         started        11 iexplore.exe 1 55 2->11         started        13 mshta.exe 2->13         started        15 3 other processes 2->15 signatures3 process4 signatures5 50 Detected unpacking (changes PE section rights) 8->50 52 Detected unpacking (overwrites its own PE header) 8->52 54 Writes or reads registry keys via WMI 8->54 56 Writes registry values via WMI 8->56 17 iexplore.exe 31 11->17         started        20 iexplore.exe 29 11->20         started        22 iexplore.exe 29 11->22         started        58 Suspicious powershell command line found 13->58 24 powershell.exe 13->24         started        26 iexplore.exe 31 15->26         started        28 iexplore.exe 31 15->28         started        30 iexplore.exe 35 15->30         started        process6 dnsIp7 34 dolsggiberiaoserkmikluhasya.chimkent.su 31.148.99.169, 49777, 49778, 49779 IHOR-ASRU Czech Republic 17->34 32 conhost.exe 24->32         started        36 sibedriamasterkkmoderatordstezya.ru 45.130.151.85, 49759, 49760, 49761 MARKTELRU Russian Federation 26->36 38 massidfberiatersksilkavayssstezya.ru 31.148.99.142, 80 IHOR-ASRU Czech Republic 28->38 process8
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42/
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 02:07:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jcdhdtobjq672atvp2gcxqylvum7ola3fgjlrlzy3v374ozxzba._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8005 banker trojan
Link:
https://tria.ge/reports/210320-2gcdx2b7vn/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
ssddl2.microsoft.com
siberiarrmaskkapsulrttezya.ru
sibedriamasterkkmoderatordstezya.ru
massidfberiatersksilkavayssstezya.ru
dolsggiberiaoserkmikluhasya.chimkent.su
dolsibegriaosersk4ermanderezya.chimkent.su
rdosdripakloserikabyatezya.chimkent.su
rusddripakoloserufinurtdrfezya.chimkent.su
ripakteenrufinishryeuliliezya.ru
rufiteemnisripakhglassdzya.ru
rufinisrufripakhmileronurzya.ru
rurugyrfripakinishtokokusstezya.ru
rufislomnishsripakerdfnstezya.adygeya.su
adav.microsoft.com
stratosferiss.ru
miniklanssstoezya.ru
sbigaschyress.chimkent.su
bigsachyd.abkhazia.su
sbsigachyeytezya.ru
sbigfachykatezya.ru
fgbiggachykvangdikezya.adygeya.su
zstremniagrazaautobanya.club
stremnaarumndadstezya.com
zastremnesddstezya.ru
minstremnstoun.ru
stremnrootttd.ru
stremnntveinee.chimkent.su
zastremnsamohodkakas.agency
Unpacked files
SH256 hash:
d205f030da71f4967a3524eba124e588d7924b13752a8dcf694ab41c5bfe32ef
MD5 hash:
f76936131edbaede06e14867b8fe4873
SHA1 hash:
9f291dd75e48efe7654c152e9972c4573986f006
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/161fadd4-ddbd-428d-8851-65ced99f1f3d/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
298d0ff74e2d7a07d367709d17b599bd3e9f756c866829cf2f262d83f02645ac
MD5 hash:
1f12d6d3bf04a979e540dc0f95fcf87e
SHA1 hash:
2f93e036427dde49417e358467041e26050100c9
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/161fadd4-ddbd-428d-8851-65ced99f1f3d/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
MD5 hash:
7441da3548290766203fb50e1da65983
SHA1 hash:
6ab2471aad73f3e59f721c8d3b662797cd0780f6
Link:
https://www.unpac.me/results/161fadd4-ddbd-428d-8851-65ced99f1f3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

Executable exe d49b3f0f364d77154cb09ef632b4698657108b55e8c6dcd88e5f38a6f83fcdb3

Gozi

Executable exe d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42

(this sample)

  
X
https://twitter.com/nao_sec/status/1373093180816588802
  
Dropped by
SHA256 d49b3f0f364d77154cb09ef632b4698657108b55e8c6dcd88e5f38a6f83fcdb3
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/125735/

Comments