MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
SHA3-384 hash: e5d770fe0e8b32b3b131b432fe11e17d24df8b56e00caacac88d4535a73b019ace29156a079b160d75c9e06d457a0227
SHA1 hash: 38de4f6bbd82ee58259d39db4cbb14c505837b88
MD5 hash: 1900f3bd2b1848b0f4b1a0495f11d84e
humanhash: mississippi-pennsylvania-september-princess
File name:DSC_Canon_23.12.2020.zip
Download: download sample
Signature Gozi
Create hunting rule
File size:261'632 bytes
First seen:2020-12-24 01:26:44 UTC
Last seen:2020-12-24 02:34:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (239 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:9F0HdV67elw1KYkOrrzKtg3YmNyKfJ8631L:T0HdPt67bImQCO6F
Threatray 914 similar samples on MalwareBazaar
TLSH 1944124503B0C350DA10FEF1251AF6C635D890FFA7A0A71EF82A44162B7C6F1ABB6A15
Reporter nao_sec
Tags:Gozi PseudoGate SpelevoEK

Intelligence

File Origin
# of uploads :
2
# of downloads :
560
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DSC_Canon_23.12.2020.zip.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 01:15:04 UTC
Tags:
trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/d5809e95-3a8f-4609-880d-b5f4fc8eaa5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109275/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Sending a UDP request
DNS request
Searching for the window
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Deleting a recently created file
Connecting to a non-recommended domain
Result
Verdict:
1
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/569509
Signature
Creates a COM Internet Explorer object
Found malware configuration
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333815 Sample: DSC_Canon_23.12.2020.zip Startdate: 24/12/2020 Architecture: WINDOWS Score: 80 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Yara detected  Ursnif 2->49 51 Machine Learning detection for sample 2->51 6 DSC_Canon_23.12.2020.exe 6 2->6         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 37 dolsibegriaosersk4ermanderezya.chimkent.su 6->37 53 Writes or reads registry keys via WMI 6->53 55 Writes registry values via WMI 6->55 57 Creates a COM Internet Explorer object 6->57 39 vip0x08e.ssl.rncdn5.com 10->39 41 vip0x04f.ssl.rncdn5.com 10->41 43 4 other IPs or domains 10->43 16 iexplore.exe 4 73 10->16         started        19 iexplore.exe 31 12->19         started        21 iexplore.exe 31 14->21         started        23 iexplore.exe 36 14->23         started        signatures5 process6 dnsIp7 25 redtube.com 66.254.114.238, 443, 49733, 49734 REFLECTEDUS United States 16->25 27 hubtraffic.com 66.254.114.32, 443, 49741, 49742 REFLECTEDUS United States 16->27 35 19 other IPs or domains 16->35 29 massidfberiatersksilkavayssstezya.ru 19->29 31 dolsibegriaosersk4ermanderezya.chimkent.su 178.210.89.119, 443, 49773, 49774 RU-CENTERRU Russian Federation 21->31 33 dolsggiberiaoserkmikluhasya.chimkent.su 21->33
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 01:27:04 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
325bc657917b6e6a7fae45b50809420e6eac3e6b5f26ef4bdd6a06e211b8f2ea
Gozi
3dfaa4d8dc11dd8edc5d8cfc2f0ab0da6f52cc355a695548ca79dfac9bf2946b
Gozi
4b96ce7166869bec970ea01423baf8a06643c749030a148f6aacf101f20fcf35
Gozi
5e893a569533f7464e35b23fd00eefce1fc9af2512d918b73a493ec99b5e31c8
Gozi
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
Gozi
8ab5753e0dd8b4a54a0cc842bb2b53c97ed33d90bcc445ce4de58d1df9dc9060
Gozi
939b640dab052ec6a08e17075397aa34abb4d4943768628a767f93d9f7d973f8
Gozi
9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325
Gozi
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Gozi
ba1a50bf2a246672a5cc91a2d11732146a8c446594ad5672fa64da643c188acc
Gozi
+ 904 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan upx
Link:
https://tria.ge/reports/201224-z8khvxa4s6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
7b1ab8deac1a159c6083d79d497840913634b431e0383b86a2a5f3ce958d89a2
MD5 hash:
5f632ea09687ca589fd0921beb33b5cf
SHA1 hash:
8b9bb2c9fdeca25af4d934747380fdc0c2ba81d3
Link:
https://www.unpac.me/results/bb41cf72-e01a-4f95-81e7-fccbef8f3662/
SH256 hash:
298d0ff74e2d7a07d367709d17b599bd3e9f756c866829cf2f262d83f02645ac
MD5 hash:
1f12d6d3bf04a979e540dc0f95fcf87e
SHA1 hash:
2f93e036427dde49417e358467041e26050100c9
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb41cf72-e01a-4f95-81e7-fccbef8f3662/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
d205f030da71f4967a3524eba124e588d7924b13752a8dcf694ab41c5bfe32ef
MD5 hash:
f76936131edbaede06e14867b8fe4873
SHA1 hash:
9f291dd75e48efe7654c152e9972c4573986f006
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb41cf72-e01a-4f95-81e7-fccbef8f3662/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
MD5 hash:
1900f3bd2b1848b0f4b1a0495f11d84e
SHA1 hash:
38de4f6bbd82ee58259d39db4cbb14c505837b88
Link:
https://www.unpac.me/results/bb41cf72-e01a-4f95-81e7-fccbef8f3662/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/nao_sec/status/1341736552389459968
Cape
Cape
https://www.capesandbox.com/analysis/109275/

Comments