MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Gozi
Vendor detections: 10
| SHA256 hash: | d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef |
|---|---|
| SHA3-384 hash: | 193c5d99f97fd84b716a96f0b2affe0a73e7830da019ed82225bd2b7bc5abbb916eb9f64324248379975f5c64032b236 |
| SHA1 hash: | 1c593344883c0db0f34a917381ea7865cbfceba2 |
| MD5 hash: | 2d242e5ea5fbb1541d1c72b6a01236f6 |
| humanhash: | beryllium-ohio-october-blossom |
| File name: | 2d242e5ea5fbb1541d1c72b6a01236f6.dll |
| Download: | download sample |
| Signature | Gozi |
| File size: | 128'528 bytes |
| First seen: | 2021-04-04 16:54:12 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 811de8e945c2087a6e052096546cd842 (15 x Gozi) |
| ssdeep | 1536:DWKaY5Se9WnVI78XvnoxJasJvRHKmyGDvDk0Rt9Y56l5ZMpvV05o9OX5xPw8:DWa0eQnVI7qCqZGDvDk4wol5w0EU |
| TLSH | 3EC3DF00B9DCC4C1D3EA99B049A4DE75350AEDA62834900733F37F6D7EF63A629AB544 |
| Reporter |  abuse_ch |
| Tags: | dll Gozi isfb Ursnif |
Intelligence
File Origin
# of uploads :
1
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Verdict:
Malicious
Result
Threat name:
Ursnif
Detection:
malicious
Classification:
troj
Score:
84 / 100
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Trojan.Ursnif
Status:
Malicious
First seen:
2021-04-04 17:06:30 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
gozi_ifsb
Score:
10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
under17.com
urs-world.com
update4.microsoft.com
under17.com
urs-world.com
Unpacked files
SH256 hash:
063ab0bbf0fb0d410d6cdb708ebf61f0f9aeb95fb475ae2d684fc17fbf9bec73
MD5 hash:
5009f5be4c126c9dd02c3db4a30f6217
SHA1 hash:
c44c5e80c528dae380c93f616818bcaff2a1aaf2
Detections:
win_isfb_auto
SH256 hash:
d8badab2df94fedfa9b7f978add09ff2076fd653f3ebb5152a0bf98bf619ba69
MD5 hash:
e72737e72f201e73b1d8c20ae7d1316b
SHA1 hash:
1ac30858e11cffa7fb5a0cb0d192971e7ef4002b
Detections:
win_isfb_auto
Parent samples :
4502918b2eb7a7ff6bc77a2d9878fae3b2389f30124d224ba92958ab13fdf39c
33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a
def873123cd2f2a1a2bb661c1ea1986526b86240fb4263e96be6c6a528c02428
eb617fa7cba6309640cda1035eee2fc79fa77c44b229e3c0213d44d97f1b4426
a1600c28548734d79d07a4d91da7e7420da472636a0820764247601f9dd73d5d
7d4aa2b93d2d795cdeca94ae454abbcaffe331583670893076ede4cfb58f5c79
22682ac6f8c484759f44786cc73109993d858a29b25fa1512196154cf2f0299c
d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef
657455d2129ca06ee85cb534186d7d80b648e10f7f9e50f43cc5f56fbc7d154c
7d80947ba6784330e792fae5eded56f2e7f228740e19f9af19106886e567b268
8b130f9fbdcfc64e2ef698a1f111409c66aff2ab6ce66ae0286f8c6817376064
65179a35467708828de13c9a53f254c956cc4235a0196e3c53ca5022c176a6aa
db9ede8dfbecb23b804cd592eeb7500e397ade3bc1fa01551a912ae572cda8b3
7af19b7aa91cf1a3fb479f1f352e0a979df69779256653eb1c9961fc9238fb73
2817053b604f2d5f62400afd737d9124c87cc388f76aa10e5cc2db867a31c5dd
33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a
def873123cd2f2a1a2bb661c1ea1986526b86240fb4263e96be6c6a528c02428
eb617fa7cba6309640cda1035eee2fc79fa77c44b229e3c0213d44d97f1b4426
a1600c28548734d79d07a4d91da7e7420da472636a0820764247601f9dd73d5d
7d4aa2b93d2d795cdeca94ae454abbcaffe331583670893076ede4cfb58f5c79
22682ac6f8c484759f44786cc73109993d858a29b25fa1512196154cf2f0299c
d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef
657455d2129ca06ee85cb534186d7d80b648e10f7f9e50f43cc5f56fbc7d154c
7d80947ba6784330e792fae5eded56f2e7f228740e19f9af19106886e567b268
8b130f9fbdcfc64e2ef698a1f111409c66aff2ab6ce66ae0286f8c6817376064
65179a35467708828de13c9a53f254c956cc4235a0196e3c53ca5022c176a6aa
db9ede8dfbecb23b804cd592eeb7500e397ade3bc1fa01551a912ae572cda8b3
7af19b7aa91cf1a3fb479f1f352e0a979df69779256653eb1c9961fc9238fb73
2817053b604f2d5f62400afd737d9124c87cc388f76aa10e5cc2db867a31c5dd
SH256 hash:
d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef
MD5 hash:
2d242e5ea5fbb1541d1c72b6a01236f6
SHA1 hash:
1c593344883c0db0f34a917381ea7865cbfceba2
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Ursnif3 |
|---|---|
| Author: | kevoreilly |
| Description: | Ursnif Payload |
| Rule name: | win_isfb_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.