MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b
SHA3-384 hash:	a386b263261e3cb1fd56dc822880e27b8f6eb899c2764876cf5dbc4d0ef3e429d880944140af12a09b6f7a972cdc2cb8
SHA1 hash:	cd0371582ab5c10847954b1ff8a5cb3320d5d306
MD5 hash:	a9d14fb83b00c9974bd64ee97c85da3f
humanhash:	london-music-vermont-romeo
File name:	a9d14fb83b00c9974bd64ee97c85da3f
Download:	download sample
Signature	Gozi Create hunting rule
File size:	380'928 bytes
First seen:	2022-07-20 11:37:47 UTC
Last seen:	2022-07-20 12:37:46 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	3f91a16a8106be9ef3da6e74ffb8e409 (1 x Gozi)
ssdeep	6144:lqZsuS62I+QHvrkSgoslayHhCuPPXAtOc9+IMyj98h11wEoC5:lqzlD3vrfXuPPXAtOc9pB21vD5
TLSH	T18E84F155D832747DCFF7617FAEF43950F488B2CC3AA9A851E6CABEC81008E6553C2496
TrID	59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.3% (.EXE) OS/2 Executable (generic) (2029/13) 7.2% (.EXE) Generic Win/DOS Executable (2002/3) 7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	malwarelabnet
Tags:	dll Gozi gozi_ifsb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

642

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292907/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.14764.3612.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a window

Searching for the window

Creating a file in the %temp% directory

Creating a file

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Running batch commands

Reading critical registry keys

Changing a file

Launching the process to interact with network services

Setting browser functions hooks

Possible injection to a system process

Stealing user critical data

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d7e95eef2b0e63a82991ab/reports/948169bf-b220-4466-b43c-6efbaf55ee8f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037434

Behaviour

Behavior Graph:

n/a

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2022-07-20 11:38:08 UTC

File Type:

PE (Dll)

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3itt2ocrepgdug3jvejh4y3sgbooxxu7zq7cxq4riwqwrg3e2wfq._file

Verdict:

malicious

Label(s):

gozi

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:3000 banker trojan

Link:

https://tria.ge/reports/220720-nrp9qaehf8/

Behaviour

Discovers systems in the same network

Enumerates processes with tasklist

Gathers system information

Runs net.exe

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Blocklisted process makes network request

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

config.edge.skype.com
193.27.14.240
94.198.40.39
kimzooxl.at
94.198.40.47
94.198.40.58
havefuntxmm.at

Unpacked files

SH256 hash:

650e5ef59f5b775ec41895e429d842c22343e7aa92fa14a03c0554f043d043c5

MD5 hash:

a8e571786be0247ba582b94a5cdd9da1

SHA1 hash:

c6e150e950b7914e821942e847e4dc441656e14b

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/29b97105-f5cf-4a49-9fca-e4ef8f37889b/

Parent samples :

ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b

SH256 hash:

c58ac9152b9f2d6a866282a88e1c175d6317d5a432c3c3fbabd6f04a38a94549

MD5 hash:

f8785694f14bf0bf570453851911e055

SHA1 hash:

143d6b1b5d3b7b92d2b1f8a9598eb4d7240e80d2

Link:

https://www.unpac.me/results/29b97105-f5cf-4a49-9fca-e4ef8f37889b/

SH256 hash:

da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b

MD5 hash:

a9d14fb83b00c9974bd64ee97c85da3f

SHA1 hash:

cd0371582ab5c10847954b1ff8a5cb3320d5d306

Link:

https://www.unpac.me/results/29b97105-f5cf-4a49-9fca-e4ef8f37889b/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/da273d385123/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292907/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample