MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1
SHA3-384 hash:	7f5b0c8bedb37b3ad5f59a0b1de59a7683c45f6c8e4abd0cbd4f13b174f06598d85a6b7f17e88abef88d75d530a2a289
SHA1 hash:	f98d2b8a622891acc9c2a40115d4c2357e95ca1f
MD5 hash:	feb09e0eb2b4cc5fefbf9220557ef9b4
humanhash:	hydrogen-october-florida-montana
File name:	51b0000.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	232'960 bytes
First seen:	2022-09-22 14:29:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:UlfGqwJTeTEom3lIkR2SCD6q9KgyItk78mV0dfgxT/cqAlw5VgCK5hcjFwxJFocW:UlDosEPR66q9KgylInd6oqAlD5dnFoc
Threatray	87 similar samples on MalwareBazaar
TLSH	T126346E5AA3E10995DD6BD5B5CE53D217EBF234092B24D30F57B0CAAA6F17722B21C302
TrID	28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25) 28.3% (.EXE) Generic Win/DOS Executable (2002/3) 28.3% (.EXE) DOS Executable Generic (2000/1) 14.2% (.SCORE) Music Craft Score (1007/6) 0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51b0000.dll

Verdict:

No threats detected

Analysis date:

2022-09-22 14:30:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1ffddbc0-b2b7-4c68-a72c-27013f140b72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312368/

Detection(s):

Win.Malware.Ursnif-9884005-0

Win.Malware.Ursnif-9886559-0

Win.Malware.Ursnif-9892796-0

Win.Malware.Ursnif-9896448-0

Win.Malware.Ursnif-9917123-0

Win.Malware.Ursnif-9937854-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/632c71aab333b2ec6b42c550/reports/11d2a985-abf5-4cf4-882f-a1c1ccdcb89f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c18198be-d371-4895-bd6d-2dfb7b0b3c7a

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1075362

Signature

Antivirus / Scanner detection for submitted sample

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1/

Threat name:

Win64.Trojan.Ursnif

Status:

Malicious

First seen:

2022-09-22 14:30:08 UTC

File Type:

PE+ (Dll)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4gefxbect5ci7hkusfcovarb6qrksjb2i2jragqulqedntat7laq._file

Verdict:

malicious

Label(s):

gozi

Gozi

154a3d6b6884c0ad1152f84d209053fc2dbabfadae47d22eb1486c83d001cfab

Gozi

459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689

Gozi

488925a89527506e1e40d24e0599e758bcf44bdd788f9da852823c27898d164e

Gozi

54eed1d4eb8679e67541c1102e743a1d636b90860bdea3ace0e9fd7a2d4309ee

Gozi

59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549

Gozi

86b1f0e8e8d97005fb1d6671fbd424a8296762c4023f03365d04897b87b75cca

Gozi

cf043012ad2be371b8f945ac4952f79d9484f74d8e5fe9a08970d0df748927ab

Gozi

dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8

Gozi

+ 77 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:10103

Link:

https://tria.ge/reports/220922-rt5nzafdgr/

Malware Config

C2 Extraction:

trackingg-protectioon.cdn1.mozilla.net
45.8.158.104
188.127.224.114
weiqeqwns.com
wdeiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5f189a2d-bc2f-4128-abdb-0ec54790044c

Unpacked files

SH256 hash:

e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1

MD5 hash:

feb09e0eb2b4cc5fefbf9220557ef9b4

SHA1 hash:

f98d2b8a622891acc9c2a40115d4c2357e95ca1f

Link:

https://www.unpac.me/results/199cc9b3-c35f-4118-acea-24ab1bbf553d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/312368/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample