MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8
SHA3-384 hash: 4b43c43866d5cde6a389e9bed94dab9e4b488179e6a57a1db467410c8e8035d9aa1c2c845039fc76d7df2205f06b1900
SHA1 hash: 62d75a0d19ebb1d24d5519d7aca77876ff2ed5a3
MD5 hash: 0c47d472a69e47a50f5c4c794e8c4376
humanhash: double-queen-snake-undress
File name:officina.Dll
Download: download sample
Signature Gozi
Create hunting rule
File size:472'064 bytes
First seen:2020-09-21 05:27:14 UTC
Last seen:2020-09-21 09:34:26 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5d1f79e14907400a56794e709a936d6b (1 x Gozi)
ssdeep 12288:A1RFqO1DYviwYdq0Wz3ZckCPKAA+zddGYuY5ad3a:A1+OBHwHzJcCAXGG
Threatray 57 similar samples on MalwareBazaar
TLSH E3A46C01B7A08034F9FF1AF985BDA1A8653D7DD04B3494CB53C06AEE6A35AD5AC30B17
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
361
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/63969/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/470984
Signature
Creates a COM Internet Explorer object
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287926 Sample: officina.Dll Startdate: 21/09/2020 Architecture: WINDOWS Score: 56 24 Yara detected  Ursnif 2->24 6 loaddll32.exe 1 2->6         started        8 iexplore.exe 7 61 2->8         started        process3 process4 10 rundll32.exe 6->10         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        17 rundll32.exe 6->17         started        19 iexplore.exe 36 8->19         started        dnsIp5 26 Writes registry values via WMI 10->26 28 Creates a COM Internet Explorer object 10->28 22 pop53334.yahoo.com 19->22 signatures6
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-09-21 05:02:19 UTC
File Type:
PE (Dll)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
346b977e05b99881c7ec168c2fa0b68f84ec633d764eb52dd9795e372f45b1b4
Gozi
34fd926b213a1c5726124dff74dbf69c731f8e823168d17cc1c9448501ed314f
Gozi
363d9a5910dac53138195fa18c8e43eb99360213ff1abdd5f2a1b0b34208fea7
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
977956121fd42c67dd015a0b6587d173bfe118f89d26fb653459d8c0e801d224
Gozi
a1a6e3603e050afbe4bd74f714f4bfc69f9f7ff51fc7e6e890a1eab04ccf1737
Gozi
a37a3be0bddd0cb696900b5acf220c32c40e9dfe8d2e41f85a4ca5c0e6fd9307
Gozi
b3dd5fabb9c05eaab15d95ba49d626cee83c8374bf2d965532d3214fdcfbf032
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200921-x7cwj3a3w2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/63969/
  
URLhaus
https://urlhaus.abuse.ch/url/582397/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/582395/
  
URLhaus
https://urlhaus.abuse.ch/url/582394/
  
URLhaus
https://urlhaus.abuse.ch/url/582657/
  
URLhaus
https://urlhaus.abuse.ch/url/582714/

Comments