MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
SHA3-384 hash: 5b964d538d4c015e89d26a3dc0b8bf0b656b1d5b1c61a21215ce235e39755a27641285ff2d727025b83a798493430bd8
SHA1 hash: b452040d8072117ddbe1adf9e1eab5e4bdb150bd
MD5 hash: c9d954b3f1c512e6804fd8f5637b58b6
humanhash: tennis-red-sink-connecticut
File name:c9d954b3f1c512e6804fd8f5637b58b6
Download: download sample
Signature Gozi
Create hunting rule
File size:240'032 bytes
First seen:2020-11-25 17:52:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ace13c17e53d07ea38e285dca185c74f (1 x Gozi)
ssdeep 6144:SCY2oo127AHBPr4CggrMbPMdsf5LLNBU94nzKE:SSD6w4bKsf5PUomE
Threatray 31 similar samples on MalwareBazaar
TLSH 2134BE0B38C81CE5D02D13BC55F2E7EB479FE0B82F19B91B1EE845EA9843B81C57516A
Reporter lazyactivist192
Tags:dll Gozi tr01 Ursnif

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105672/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Modifying a system file
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Creating a file
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547282
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322748 Sample: vnaSKDMnLG Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 83 resolver1.opendns.com 2->83 107 Found malware configuration 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 10 other signatures 2->113 10 mshta.exe 2->10         started        13 loaddll32.exe 1 2->13         started        signatures3 process4 signatures5 129 Suspicious powershell command line found 10->129 15 powershell.exe 10->15         started        19 regsvr32.exe 8 13->19         started        21 cmd.exe 1 13->21         started        process6 file7 65 C:\Users\user\AppData\...\q3xypckz.cmdline, UTF-8 15->65 dropped 67 C:\Users\user\AppData\Local\...\chv50z53.0.cs, UTF-8 15->67 dropped 91 Injects code into the Windows Explorer (explorer.exe) 15->91 93 Writes to foreign memory regions 15->93 95 Modifies the context of a thread in another process (thread injection) 15->95 105 2 other signatures 15->105 23 explorer.exe 15->23 injected 27 csc.exe 15->27         started        30 csc.exe 15->30         started        32 conhost.exe 15->32         started        97 Maps a DLL or memory area into another process 19->97 99 Writes or reads registry keys via WMI 19->99 101 Writes registry values via WMI 19->101 103 Creates a COM Internet Explorer object 19->103 34 control.exe 19->34         started        36 WerFault.exe 19->36         started        38 iexplore.exe 2 65 21->38         started        signatures8 process9 dnsIp10 85 63.250.47.200, 49771, 80 NAMECHEAP-NETUS United States 23->85 87 162.0.213.229, 443, 49776, 49778 ACPCA Canada 23->87 115 Tries to steal Mail credentials (via file access) 23->115 117 Changes memory attributes in foreign processes to executable or writable 23->117 119 Tries to harvest and steal browser information (history, passwords, etc) 23->119 127 3 other signatures 23->127 40 cmd.exe 23->40         started        55 2 other processes 23->55 61 C:\Users\user\AppData\Local\...\q3xypckz.dll, PE32 27->61 dropped 42 cvtres.exe 27->42         started        63 C:\Users\user\AppData\Local\...\chv50z53.dll, PE32 30->63 dropped 44 cvtres.exe 30->44         started        121 Writes to foreign memory regions 34->121 123 Allocates memory in foreign processes 34->123 125 Modifies the context of a thread in another process (thread injection) 34->125 46 rundll32.exe 34->46         started        89 192.168.2.1 unknown unknown 38->89 48 iexplore.exe 164 38->48         started        51 iexplore.exe 35 38->51         started        53 iexplore.exe 38->53         started        57 3 other processes 38->57 file11 signatures12 process13 dnsIp14 59 conhost.exe 40->59         started        69 img.img-taboola.com 48->69 71 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 48->71 81 9 other IPs or domains 48->81 73 assets.onestore.ms 51->73 75 consentdeliveryfd.azurefd.net 51->75 77 ajax.aspnetcdn.com 51->77 79 groovcerl.xyz 162.0.213.230, 49765, 49766, 49767 ACPCA Canada 53->79 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 17:54:14 UTC
File Type:
PE (Dll)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0
Gozi
1f489fc6703dd57a5d322a920c98c60b0a9be1168147e3ab1f0db8fa2ba03dae
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
b5bca2548051f7a0bccedd44ae018dfe9df7632ecb9c7c7ff98a6aadecc985b3
Gozi
ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
Gozi
d7c37dced460635f71add15aa5071cdd82d73ab250c7f3104387bcdceb7ddced
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
ff84091bb6f0eee80d98d41baf3ea143b48502d3933c0d9097abdf99618ffcf8
Gozi
+ 21 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:ursnif banker spyware trojan
Link:
https://tria.ge/reports/201125-v3czamecp6/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
ServiceHost packer
Gozi, Gozi IFSB
Ursnif, Dreambot
Unpacked files
SH256 hash:
d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
MD5 hash:
c9d954b3f1c512e6804fd8f5637b58b6
SHA1 hash:
b452040d8072117ddbe1adf9e1eab5e4bdb150bd
Link:
https://www.unpac.me/results/1efde5e3-4236-4b9d-aac7-0e9b6435ad69/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7fafabbb381/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/823864/
Cape
Cape
https://www.capesandbox.com/analysis/105672/

Comments