MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c
SHA3-384 hash: 54897be41e4b05f3dd6252491497d83f4e49f58bc7397c6124bcde64a13c4a419328b9428229eea1e79e092908a31a88
SHA1 hash: 7c3f6f52a08428358ad2b6032f99f28ea87b8cc7
MD5 hash: c54784a2a5c1b33fd4e29b63d39f7f17
humanhash: triple-november-uniform-orange
File name:presentation.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:877'568 bytes
First seen:2021-04-30 10:24:45 UTC
Last seen:2021-04-30 11:02:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 2ae303c724781f4a3a0c5970569d9324 (1 x Gozi)
ssdeep 12288:32a/rAA8VjD83Mmzv5ALfcfvMJ4bXD9eQ4q0I2Z45NVsRso9gB2/j2vPTSy4jvt3:D0PsvIfc8abX14pW5NDQIPqjpqy0
Threatray 223 similar samples on MalwareBazaar
TLSH 93156C21B741C039F5A350FC4ABDD2BD692C79A15B6811CB73CC2BEE5B31AE0693125B
Reporter 0x746f6d6669
Tags:Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147371/
Detection(s):
SecuriteInfo.com.Variant.Babar.26409.21982.26798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/704551
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401205 Sample: presentation.dll Startdate: 30/04/2021 Architecture: WINDOWS Score: 64 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 05:10:48 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hctwdqnaljc3ecjnkthfgainbtppd56ddxabml44t6rx2ypam6a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2e5718f3104aa7083d05cf39485a89236aa452b8fdc10ecc3a01c1195a991ad4
Gozi
3c0bc20be866d4a0156f5b1ebb5418e9e58b65f292f4defbde0052644ca2c0e9
Gozi
419e1f52d1dd72ef9e9d2af16124abcaa2cc889389bbb10bb8d1fa23276ba697
Gozi
532bc80351a659699d32d8f10760dca714cb395997cf0667e9631983d1b3a773
Gozi
70d9397fa81ec09be21e1bc235c6c9838612ba43cf238bcaf5525321a8ec3df0
Gozi
900a62f1d821af1da2b5235e651057b062a9fd3c74002ac38218038f7e6b4ea4
Gozi
9ed3ecdf0bb81781af7d2047a54103aa6eed022d1dd01b0477359558a28c6c06
Gozi
ea0f2536c5068f5a7b2c4776f40bf9eb8fbbb79f63c854991b4c57b8959fbf56
Gozi
f1abc2c7434df1d042774d3b48b1b609a576bb50a288802c646de4450a42345d
Gozi
f7d4b9acabc3f9a0425ed10c542838f0206b0ce8458b5b7b3b1f9211436d684a
Gozi
+ 213 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3500 banker trojan
Link:
https://tria.ge/reports/210430-xxy9r8affa/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
green.salurober.com
frm.mironeramp.com
chat.billionady.com
app3.maintorna.com
Unpacked files
SH256 hash:
c900ed82ab6c564ae406a3a222890cfd7cb7d737ae8c5342b11143119e2ae824
MD5 hash:
ea4dec2e50ce66e130b55bb369ef7b84
SHA1 hash:
a0e167c182301ebbcebd974b14a32f21830f525c
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/889d3be4-1f75-4274-ba21-740a5b2d1384/
SH256 hash:
e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c
MD5 hash:
c54784a2a5c1b33fd4e29b63d39f7f17
SHA1 hash:
7c3f6f52a08428358ad2b6032f99f28ea87b8cc7
Link:
https://www.unpac.me/results/889d3be4-1f75-4274-ba21-740a5b2d1384/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Babar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147371/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 11:03:11 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0052] File System Micro-objective::Writes File
4) [C0007] Memory Micro-objective::Allocate Memory
5) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
6) [C0040] Process Micro-objective::Allocate Thread Local Storage
7) [C0043] Process Micro-objective::Check Mutex
8) [C0041] Process Micro-objective::Set Thread Local Storage Value
9) [C0018] Process Micro-objective::Terminate Process