MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4
SHA3-384 hash: 029e59e7625b4094b5c12376216f89118b324f9017091ecbb3ef7429df9c8ecc5d2080c8fbd842b7b9c73b2591acf163
SHA1 hash: 1f178b5501b0cfba33be5391b9cfa9c3eb20bfb3
MD5 hash: d24bad9f74a3cb645f25500552860d7d
humanhash: nevada-earth-north-carolina
File name:64770e200bf47.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:510'976 bytes
First seen:2023-05-31 09:08:21 UTC
Last seen:2023-05-31 09:42:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 2834d6de694a1e118fce1c518a77096f (1 x Gozi)
ssdeep 12288:CCTVqq1Tb1bfFBfDtNK+UmDFZIdP03d5700R:LToq9Rf7tNK+HrId03dxt
Threatray 76 similar samples on MalwareBazaar
TLSH T159B4BE1CFA478531D6AE213019EB567A162DE8208B2491FF2394CBBB3EEC1D25D3571E
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter JAMESWT_WT
Tags:brt dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394015/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.11536.15008.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger lolbin packed
Link:
https://www.filescan.io/uploads/64770eaf9f24e991a79dbf54/reports/8bba418b-e692-42bc-8781-5f2a641f1f39/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75398f31-330e-41d7-9548-6161acb511fe
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245901
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878919 Sample: 64770e200bf47.dll Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 102 Snort IDS alert for network traffic 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 3 other signatures 2->108 9 loaddll32.exe 7 2->9         started        13 mshta.exe 19 2->13         started        15 mshta.exe 2->15         started        process3 dnsIp4 86 provaterta.com 9->86 126 Writes or reads registry keys via WMI 9->126 128 Writes registry values via WMI 9->128 17 regsvr32.exe 6 9->17         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        30 3 other processes 9->30 25 powershell.exe 1 29 13->25         started        28 powershell.exe 15->28         started        signatures5 process6 dnsIp7 82 provaterta.com 91.215.85.164, 49711, 49712, 80 PINDC-ASRU Russian Federation 17->82 84 192.168.2.1 unknown unknown 17->84 110 System process connects to network (likely due to code injection or exploit) 17->110 112 Writes to foreign memory regions 17->112 114 Allocates memory in foreign processes 17->114 124 2 other signatures 17->124 32 control.exe 17->32         started        35 rundll32.exe 21->35         started        80 C:\Users\user\AppData\...\14v4tzkp.cmdline, Unicode 25->80 dropped 116 Injects code into the Windows Explorer (explorer.exe) 25->116 118 Modifies the context of a thread in another process (thread injection) 25->118 120 Maps a DLL or memory area into another process 25->120 37 explorer.exe 25->37 injected 39 csc.exe 25->39         started        42 csc.exe 25->42         started        44 conhost.exe 25->44         started        122 Creates a thread in another existing process (thread injection) 28->122 46 csc.exe 28->46         started        48 csc.exe 28->48         started        50 conhost.exe 28->50         started        file8 signatures9 process10 file11 88 Injects code into the Windows Explorer (explorer.exe) 32->88 90 Allocates memory in foreign processes 32->90 92 Modifies the context of a thread in another process (thread injection) 32->92 52 rundll32.exe 32->52         started        94 Tries to steal Mail credentials (via file / registry access) 37->94 96 Changes memory attributes in foreign processes to executable or writable 37->96 98 Writes to foreign memory regions 37->98 100 3 other signatures 37->100 54 cmd.exe 37->54         started        56 RuntimeBroker.exe 37->56 injected 58 RuntimeBroker.exe 37->58 injected 68 2 other processes 37->68 72 C:\Users\user\AppData\Local\...\14v4tzkp.dll, PE32 39->72 dropped 60 cvtres.exe 39->60         started        74 C:\Users\user\AppData\Local\...\dyuiwscy.dll, PE32 42->74 dropped 62 cvtres.exe 42->62         started        76 C:\Users\user\AppData\Local\...\2ybfkl5n.dll, PE32 46->76 dropped 64 cvtres.exe 46->64         started        78 C:\Users\user\AppData\Local\...\csed2jse.dll, PE32 48->78 dropped 66 cvtres.exe 48->66         started        signatures12 process13 process14 70 conhost.exe 54->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-05-31 09:08:20 UTC
File Type:
PE (Dll)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ucxbqnu2bspwh3oqvoqyj5mdfmkpizmhtxv4y3tbfgyezd7lpka._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
54e1a7dc75b550786afcb0601020a2c50739347541cc8cb969acf76b90222458
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
Gozi
8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
Gozi
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
Gozi
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
Gozi
d42f53c75818af4aae281a0c3f760e20643852405d69134d03f6ba5c62efe316
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
+ 66 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/230531-k4fn9sed3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://fazz.bing.com/check
http://provaterta.com
https://fazzd.bing.com/check
provaterta.com
Unpacked files
SH256 hash:
14badf9b8578b779bd08788ee1c8b136f4010f23ed9dd870528f4359b248fc73
MD5 hash:
2dbdb4014381b723468938673af17b5a
SHA1 hash:
ab107e1c0f21aab062a3e151cc112410aabc3678
Link:
https://www.unpac.me/results/3ba7b84f-4b9d-4835-9375-706c1ea702e9/
SH256 hash:
5fd4f7431c35c52d4a906ae52a162ff923e78ac3535692022ddeefdea1db1fcf
MD5 hash:
4deb8229270797d31ab0e6261c7aad09
SHA1 hash:
0a64018f472ac7afc22d1d1c15fdd7facb600a6d
Link:
https://www.unpac.me/results/3ba7b84f-4b9d-4835-9375-706c1ea702e9/
SH256 hash:
d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4
MD5 hash:
d24bad9f74a3cb645f25500552860d7d
SHA1 hash:
1f178b5501b0cfba33be5391b9cfa9c3eb20bfb3
Link:
https://www.unpac.me/results/3ba7b84f-4b9d-4835-9375-706c1ea702e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/394015/
  
URLhaus
https://urlhaus.abuse.ch/url/2647388/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2647390/

Comments