MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
SHA3-384 hash: e27459ee22b8c451fe6b00ea9e8575d05c9a1517d988b58adc61458255a6f3249ac294c5c4460bd090bcabca392c882a
SHA1 hash: d6de742f6caf13d4a9aa75287d041596fbcea73a
MD5 hash: 759e055bf47a9ce1a7fce3e3276120f3
humanhash: sad-oregon-juliet-skylark
File name:759e055bf47a9ce1a7fce3e3276120f3.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:133'529 bytes
First seen:2021-05-04 15:30:04 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3f728412058b62c418b1091768b74d7b (8 x Gozi)
ssdeep 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
Threatray 250 similar samples on MalwareBazaar
TLSH 99D3BE0CF7E950C1C5DA3AB750B19E287228EE128DB4243616F62E797FF71A37C29485
Reporter abuse_ch
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Crypterx-9850539-0
Create hunting rule

SecuriteInfo.com.Trojan.Gozi.796.15659.27384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/710458
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404151 Sample: H78gXhk1NY.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 15:30:13 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3c6prpxlwwvwsc2sbfg7mml7ai7wf4ce5aihkcgyjudni4ap5ana._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Gozi
1abd2ae7b4600681751fcd1d401a6ad35fbdd3e231790be49ef7b61333358802
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Gozi
6e4568c87d8d2b5d6428ce46362b1ae29559047aafc275948cd4510573e460a8
Gozi
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
Gozi
8328e3fd543f366d1625e37bf5b002b5d057b2d80aa2250326c174425886c1c0
Gozi
85d535a2051a60c54a1f2f43ce8854f51a784e87a7a9a5a337567fe3296d81a6
Gozi
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
Gozi
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Gozi
+ 240 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210504-qv5jveg1tj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
026a934ae5a96fbb53fa1b81f69d5441d87c039951fb17639773bfb7f0a063ac
MD5 hash:
b8e4c4663cc6a6b33e7fe81e86b85e6d
SHA1 hash:
3a182a1d590af2cf073491c7c748ee16853e525f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/4490f456-4e56-4b2b-a539-c097fcd3dfad/
Parent samples :
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SH256 hash:
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
MD5 hash:
759e055bf47a9ce1a7fce3e3276120f3
SHA1 hash:
d6de742f6caf13d4a9aa75287d041596fbcea73a
Link:
https://www.unpac.me/results/4490f456-4e56-4b2b-a539-c097fcd3dfad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.42
Link:
https://yomi.yoroi.company/submissions/d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1101527/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 16:19:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data