MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
SHA3-384 hash: 8eada6b8d13a9db276541b7704682707600761c1b727372f675b58742bb0a75dfb78e4628c34f182b3e4906ad223b483
SHA1 hash: ef46f9c62b94715b750173074c51100285ff6fe9
MD5 hash: 499200f6a8e223c057c6e16701740721
humanhash: kansas-jupiter-blossom-sad
File name:direction.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:258'504 bytes
First seen:2021-07-27 08:54:22 UTC
Last seen:2021-07-27 21:29:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d34313ce3555dec95480bcae2d5dea6b (1 x Gozi)
ssdeep 3072:SEF7LCAtgVteclWZuw72sQI6ja4IyXBiGqfWOSi7NTk+0UylJm2os4nd41RgVTo6:SEFXKVteapw7SIJ4G9dpNyjmJLsRGPhz
Threatray 333 similar samples on MalwareBazaar
TLSH T153448EA5ADD489F6E85D0035C8D58BF16FED9E30E7E6604743A73B50A8B32D2223D50A
dhash icon 1cdadad4a6a4e400 (1 x Gozi)
Reporter JAMESWT_WT
Tags:dll Gozi isfb pwF7272021 pwRM2021OSO03 RM2021OSO03 Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
797
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
downloaddocument.do@docId=674ni1c6312a91d7149af89b6475ece38b9b3&docExtn=png
Verdict:
No threats detected
Analysis date:
2021-07-27 08:39:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be815278-ed8f-45a7-87a1-8ed76a7601c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174303/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20753.22007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3725a45-646e-483a-9c5c-86469a94b846
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/822222
Signature
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454630 Sample: direction.dll Startdate: 27/07/2021 Architecture: WINDOWS Score: 76 30 alliances.bar 195.110.59.2, 49775, 49776, 49777 AS-HOSTINGERLT Lithuania 2->30 32 www.alliancer.bar 2->32 34 4 other IPs or domains 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected  Ursnif 2->46 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 52 Writes or reads registry keys via WMI 8->52 54 Writes registry values via WMI 8->54 11 regsvr32.exe 8->11         started        14 iexplore.exe 6 125 8->14         started        16 cmd.exe 1 8->16         started        18 15 other processes 8->18 process6 signatures7 56 Writes or reads registry keys via WMI 11->56 58 Writes registry values via WMI 11->58 20 iexplore.exe 9 157 14->20         started        24 iexplore.exe 14->24         started        26 iexplore.exe 14->26         started        28 rundll32.exe 16->28         started        process8 dnsIp9 36 dart.l.doubleclick.net 142.250.186.70, 443, 49740, 49741 GOOGLEUS United States 20->36 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49753, 49754 FASTLYUS United States 20->38 40 12 other IPs or domains 20->40 48 Creates an undocumented autostart registry key 20->48 50 Writes registry values via WMI 28->50 signatures10
Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 08:55:07 UTC
File Type:
PE (Dll)
Extracted files:
11
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Gozi
5831ebc72dc810c036fa0c1dc85e17490ebfe2f7379b9573f99d47817b9eb42c
Gozi
62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Gozi
fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Gozi
+ 323 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7410 banker suricata trojan
Link:
https://tria.ge/reports/210727-2d8acwdeyx/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
signin.microsoft.com
alliances.bar
allianceline.bar
alliancer.bar
Unpacked files
SH256 hash:
cb97e1338c793a08627817dc943fe5f5ef9c87bdcf27b4a36fac5150cf4d490a
MD5 hash:
244534e01a832bc540d3c968c633df65
SHA1 hash:
355a21337ff1d253e4b4530aa0f3cca5085790d4
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a831b039-a598-4383-8fb3-b47128a63782/
SH256 hash:
d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
MD5 hash:
499200f6a8e223c057c6e16701740721
SHA1 hash:
ef46f9c62b94715b750173074c51100285ff6fe9
Link:
https://www.unpac.me/results/a831b039-a598-4383-8fb3-b47128a63782/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/174303/
  
URLhaus
https://urlhaus.abuse.ch/url/1484333/
  
Delivery method
Distributed via web download

Comments