MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
SHA3-384 hash: ca09ece34ef2ea1386261e8979d4aae7ec6bf49abeec07a749b913307c9a81769f31b8fa8564e9baa5cd38eb8c82f695
SHA1 hash: c640e2e26b783093c8b1d418af11f468c828458f
MD5 hash: 0179f7b0bd61f06d3705812e50583b20
humanhash: bakerloo-arizona-cup-happy
File name:0179f7b0bd61f06d3705812e50583b20.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:378'880 bytes
First seen:2022-02-24 08:59:09 UTC
Last seen:2022-02-24 09:29:11 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c311ddd1f8a9ea5ca6b95a50e682512e (1 x Gozi)
ssdeep 6144:dtukWLu3M+uqn3F6vPNZAdSEJayJjVSSfz2y/huNT+:bWLuc+uKCqdSEJPNVSSP58T
Threatray 472 similar samples on MalwareBazaar
TLSH T15E84E85EE3D019CDF1E72CBC6564639A0FD50FB20E3EA0B7A013288925715F89D2AB57
Reporter abuse_ch
Tags:dll geo Gozi inps isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244180/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/621748f73b743d74eee46acd/reports/8d2479d4-b4bb-4337-a9dc-3fd21cdcfda1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f87706b-29c2-4d3a-b259-3a4515b80c7f
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945542
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Remote Thread Created
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578022 Sample: BhWD3mjgh8.dll Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 7 other signatures 2->56 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2->11         started        13 iexplore.exe 1 56 2->13         started        15 3 other processes 2->15 process3 dnsIp4 48 premiumlists.ru 7->48 68 Found evasive API chain (may stop execution after checking system information) 7->68 70 Found API chain indicative of debugger detection 7->70 72 Writes or reads registry keys via WMI 7->72 74 Writes registry values via WMI 7->74 17 regsvr32.exe 6 7->17         started        21 cmd.exe 1 7->21         started        23 rundll32.exe 6 7->23         started        31 2 other processes 7->31 33 8 other processes 11->33 25 iexplore.exe 31 13->25         started        27 iexplore.exe 31 13->27         started        29 iexplore.exe 30 13->29         started        35 4 other processes 15->35 signatures5 process6 dnsIp7 58 Writes or reads registry keys via WMI 17->58 60 Writes registry values via WMI 17->60 37 rundll32.exe 21->37         started        62 System process connects to network (likely due to code injection or exploit) 23->62 40 cloudlines.top 31.41.46.120, 49773, 49774, 49781 ASRELINKRU Russian Federation 25->40 42 192.168.2.1 unknown unknown 27->42 44 linkspremium.ru 62.173.149.135, 49775, 49776, 49777 SPACENET-ASInternetServiceProviderRU Russian Federation 29->44 46 premiumlists.ru 45.128.184.132, 80 MGNHOST-ASRU Russian Federation 33->46 signatures8 process9 signatures10 64 System process connects to network (likely due to code injection or exploit) 37->64 66 Writes registry values via WMI 37->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 09:00:11 UTC
File Type:
PE (Dll)
Extracted files:
8
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ypolz5ro2cjqpvjaspxdg7lawlyvajwhd2t65rf5fylvyocvplq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
+ 462 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7618 banker trojan
Link:
https://tria.ge/reports/220224-kydbyscee8/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
cloudlines.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
a4e83e7bfc77fefb6f34da95c5279a032c8ef74b1b6e113bc71a7d6f07ccc76d
MD5 hash:
8afb9bf933fb6fd475295b1c5af8e381
SHA1 hash:
ad938ec3bdbda6190433b51f56e18110beabf827
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1bdf431-4f52-4dc4-b7ab-9dee93a29e42/
SH256 hash:
d826e9cb0ad5b30854c771c8220fa760628cf25b1515f3caf6d92ddea8a832b4
MD5 hash:
85a19f78d1153ccaa812d346d3d2d5ed
SHA1 hash:
2bcb21d555b992d17ec862e41258e92dce9c6ae1
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1bdf431-4f52-4dc4-b7ab-9dee93a29e42/
SH256 hash:
d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
MD5 hash:
0179f7b0bd61f06d3705812e50583b20
SHA1 hash:
c640e2e26b783093c8b1d418af11f468c828458f
Link:
https://www.unpac.me/results/c1bdf431-4f52-4dc4-b7ab-9dee93a29e42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2055798/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/244180/

Comments