MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
SHA3-384 hash: 1e64e42f6a69691aae0b82773cc92f077dc73c9b911d69d283abd1990fed9074c794d8013cb936ee826dd1a6b3b326b9
SHA1 hash: bacbec8f116f3e5274693cf7ba6de5c83fb3d9a8
MD5 hash: 62cdd734fdd2d50b1f36f16dac017061
humanhash: oven-spring-idaho-pip
File name:62f24e6f4c4c7.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:621'568 bytes
First seen:2022-08-09 12:11:21 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 12288:BMCDYSJ1OIRxe6MNZ9W/YLy+I5HfKzSCD+Sfxo426Fcm3v5DK0gS:BJDYSnbeZnWALRy/hX5426FPf5eQ
Threatray 220 similar samples on MalwareBazaar
TLSH T1D9D412213B40EA9AD5A841B2F556DD5411E27B724CC6D8CEB3722FC736676E0CB92B03
TrID 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
26.3% (.EXE) Win32 Executable (generic) (4505/5/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.6% (.EXE) Generic Win/DOS Executable (2002/3)
11.6% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate agenziariscossione dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
603
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297305/
Detection(s):
SecuriteInfo.com.BotX-genTrj.13927.18143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f24f90810e2831b72f603f/reports/fe7a8d30-aba6-4175-8f2a-872d444200b6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5aa9b9ce-c818-41d0-a508-3eba054831f8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1048460
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680954 Sample: 62f24e6f4c4c7.dll Startdate: 09/08/2022 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 2 other signatures 2->100 8 loaddll32.exe 1 2->8         started        11 mshta.exe 19 2->11         started        13 mshta.exe 2->13         started        process3 signatures4 102 Found evasive API chain (may stop execution after checking system information) 8->102 104 Found API chain indicative of debugger detection 8->104 15 regsvr32.exe 1 6 8->15         started        19 rundll32.exe 6 8->19         started        21 cmd.exe 1 8->21         started        27 4 other processes 8->27 23 powershell.exe 11->23         started        25 powershell.exe 13->25         started        process5 dnsIp6 66 79.110.52.8, 49742, 49761, 80 V4ESCROW-ASRO Romania 15->66 68 Writes to foreign memory regions 15->68 70 Allocates memory in foreign processes 15->70 72 Modifies the context of a thread in another process (thread injection) 15->72 82 2 other signatures 15->82 29 control.exe 15->29         started        74 System process connects to network (likely due to code injection or exploit) 19->74 31 control.exe 19->31         started        33 rundll32.exe 21->33         started        76 Injects code into the Windows Explorer (explorer.exe) 23->76 78 Maps a DLL or memory area into another process 23->78 80 Creates a thread in another existing process (thread injection) 23->80 36 csc.exe 23->36         started        39 csc.exe 23->39         started        41 conhost.exe 23->41         started        43 csc.exe 25->43         started        45 csc.exe 25->45         started        47 conhost.exe 25->47         started        signatures7 process8 file9 49 explorer.exe 29->49 injected 84 Writes registry values via WMI 33->84 58 C:\Users\user\AppData\Local\...\kn3vze44.dll, PE32 36->58 dropped 52 cvtres.exe 36->52         started        60 C:\Users\user\AppData\Local\...\f31zk2ft.dll, PE32 39->60 dropped 54 cvtres.exe 39->54         started        62 C:\Users\user\AppData\Local\...\ffeg2yxj.dll, PE32 43->62 dropped 56 cvtres.exe 43->56         started        64 C:\Users\user\AppData\Local\...\5rihggvs.dll, PE32 45->64 dropped signatures10 process11 signatures12 86 Tries to steal Mail credentials (via file / registry access) 49->86 88 Changes memory attributes in foreign processes to executable or writable 49->88 90 Writes to foreign memory regions 49->90 92 5 other signatures 49->92
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 12:12:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gjgk3hjy45mppfuz3atmn4mlbb6ckfxnti4aino5qtu5xwl7buq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
Gozi
3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
Gozi
34437641a6b16fcbc6a726c0eabcebf0e9abccb3a878aee2d0a7797c0dd4eae9
Gozi
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Gozi
8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
Gozi
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Gozi
a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
Gozi
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Gozi
ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
Gozi
+ 210 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220809-pc6tlaaadm/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
79.110.52.8
79.110.52.80
193.106.191.163
Unpacked files
SH256 hash:
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
MD5 hash:
62cdd734fdd2d50b1f36f16dac017061
SHA1 hash:
bacbec8f116f3e5274693cf7ba6de5c83fb3d9a8
Link:
https://www.unpac.me/results/6d440cd3-5b26-4fc2-b205-8753598c96d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297305/

Comments