MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
SHA3-384 hash: 8ce81b5f9568cc3c73f71c1370ef4c4ce7c16511586c7e0f32a190269392b590077daeadb8d7c0c05513a0d9fda69838
SHA1 hash: 813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
MD5 hash: 5ba7ac7fa4f9e831679832b6cc22aee8
humanhash: indigo-louisiana-winner-nevada
File name:SecuriteInfo.com..7135.20767
Download: download sample
Signature Gozi
Create hunting rule
File size:886'272 bytes
First seen:2021-06-10 20:47:11 UTC
Last seen:2021-08-25 18:19:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1bcf1a17040e578ef3e6fe0888b5a0a4 (1 x Gozi)
ssdeep 24576:Ydk22FB2tfgklpVM5HdBcvLrXmF63WaSc:YdkDT29zaVg3WaSc
Threatray 378 similar samples on MalwareBazaar
TLSH CA15D0017B95F835E03502768FA5EBE1036DBD558F760B8B36C85E5F3A7D8831A29322
Reporter SecuriteInfoCom
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165966/
Detection(s):
SecuriteInfo.com..7135.20767.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/800514
Signature
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432910 Sample: SecuriteInfo.com..7135.20767 Startdate: 10/06/2021 Architecture: WINDOWS Score: 76 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 31 Yara detected  Ursnif 2->31 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 2 60 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 iexplore.exe 39 9->18         started        dnsIp5 33 Writes registry values via WMI 11->33 21 rundll32.exe 14->21         started        23 authd.feronok.com 185.233.80.31, 49748, 49749, 80 SUPERSERVERSDATACENTERRU Russian Federation 18->23 signatures6 process7
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lazvq7kzyushg7zdhceevlkx54c3jmvgms642zgezec7p2ef4uq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01fd38efd6b413c52b73ae4bdb563472a37a2ec440a8441a86ed11f4d8f4c5a0
Gozi
1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
Gozi
478be2a2eff77ac1ad7ff5e048bfb795ff7afd323f8e95b769ad26c40e582f38
Gozi
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Gozi
871193097b82dfa586f0c8701bd7f9b533fda74709ce53ce7e06fa541221e8d0
Gozi
8f8268c13ddc484a180cff0dd8e764e328897e7a978d0f45e9c26de57f233106
Gozi
aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Gozi
ab2ac6bebb2713759ce6e3d5db80fe8ccd4bb752199d9d71ce74a67ed8cf0c3b
Gozi
bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7
Gozi
f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
Gozi
+ 368 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1500 banker trojan
Link:
https://tria.ge/reports/210610-52zf93b15s/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
authd.feronok.com
app.bighomegl.at
Unpacked files
SH256 hash:
1fedb931463be837e0d0811ce713a7c56a998271e5efc4ba737cc5ae4f95705a
MD5 hash:
34d716a641d7cb5f8ab4924597f54311
SHA1 hash:
7b023f048307d0d8497b6a3e282c1beb30e9ff33
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0726cb2-5f52-4689-a3cd-5788e775f11c/
SH256 hash:
d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
MD5 hash:
5ba7ac7fa4f9e831679832b6cc22aee8
SHA1 hash:
813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
Link:
https://www.unpac.me/results/e0726cb2-5f52-4689-a3cd-5788e775f11c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1350676/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165966/

Comments