MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
SHA3-384 hash:	86dbc763a80433b3a7266dec2275be0a37f107302cc80dc7454c6d2d24907fce0077dc9b2f0a60e4a47e1f60cde8b475
SHA1 hash:	37ddabb88b909290e1da368f275448a880887482
MD5 hash:	9046f78804227bd742d558325fa8f4c0
humanhash:	hydrogen-william-apart-princess
File name:	9046f78804227bd742d558325fa8f4c0
Download:	download sample
Signature	Gozi Create hunting rule
File size:	442'368 bytes
First seen:	2022-05-17 08:48:03 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	a2b7486f7219709bc441af397fbc35ab (2 x Gozi)
ssdeep	6144:oW1iktBgcV9yjYJrTOkRLookGIw8OaDSOKdPmo6iJTk/DmpFkbakc+abuFGGGGGD:oW44BgcV9yjY1OkEGx/V72/DmSH6/
Threatray	678 similar samples on MalwareBazaar
TLSH	T15294E00965216A6ED9DC273DC9E1D31B1D62B75CD23E70BE3CF43C9F7AE6125820428A
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter	pr0xylife
Tags:	DHL dll Gozi isfb italy Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

795

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271417/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6283614afd71ca8b2eea447e/reports/68af5cd5-86b7-48ff-9804-dc5cb146a3fa/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/204138a9-dd2f-4618-abdd-9e4840d78d42

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-05-17 08:49:06 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4nfpn373lfsrpyzn36bpwkb6roce5q2ng47u4bhjh2mrnutmfb6q._file

Verdict:

malicious

Label(s):

gozi

Gozi

22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483

Gozi

315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6

Gozi

3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6

Gozi

5298257931fb4fcb64bd0e0ba48a2f1f4f1b501813b27d2aabd82056a4feb957

Gozi

9c2a2b8d88ab02d37e21c9b97f10b26543daedf353ce76c17b445688b0a041d6

Gozi

a7e43f89844a769fd9607d78151ebcfac02f58412f7800701b9978e11c82656c

Gozi

f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766

Gozi

+ 668 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:3000 banker suricata trojan

Link:

https://tria.ge/reports/220517-kq1ghsccap/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

Malware Config

C2 Extraction:

config.edge.skype.com
185.189.151.28
185.189.151.70

Unpacked files

SH256 hash:

8bc96b65bcff25c71338a36aa29ab9eb8ca59afc7ab0e6942b199e7c7fa1ad96

MD5 hash:

fa78697c92e01fb5a939e9b230adf195

SHA1 hash:

feea5e4728271e16f7b9060a79e7445cd4a90b7e

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/d0885dee-882b-421e-9ee7-460635e41900/

Parent samples :

f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d

SH256 hash:

daaad4b22001d9c853db6bc158d125f820f7be6f4511181be9dbe87ad5fd5259

MD5 hash:

176094ef86e85412dcc783e75c6fc6bb

SHA1 hash:

a1ede4258b613c173a65451e6ee41ff2beea8750

Link:

https://www.unpac.me/results/d0885dee-882b-421e-9ee7-460635e41900/

SH256 hash:

e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d

MD5 hash:

9046f78804227bd742d558325fa8f4c0

SHA1 hash:

37ddabb88b909290e1da368f275448a880887482

Link:

https://www.unpac.me/results/d0885dee-882b-421e-9ee7-460635e41900/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/271417/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample