MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SHA3-384 hash: 28f0bccc4641acccd54e86d99be0c74c01a5485304df37a8f96ca3100a4ff5c7d57cf34ee81eb4e830a9ed1c54b6f952
SHA1 hash: 3ace5fbaa20e144a6e81a83ab7bcbe7e71123808
MD5 hash: 203b91c7b2a358455f5f62a6509cda53
humanhash: idaho-tennis-stairway-fix
File name:e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
Download: download sample
Signature Gozi
Create hunting rule
File size:2'786'304 bytes
First seen:2022-03-21 08:13:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1c859fc09e7dd8ae36985c58f1251eab (3 x Gozi)
ssdeep 12288:/IbrrbWKli6siZkRExTqOPh0Qr1swduwqG3rovZYrD5otf8ffff34jaq07fqkxAz:tcTqAhZari+yv5X
Threatray 514 similar samples on MalwareBazaar
TLSH T164D58D93DE02A50AE56BC434A254FFF91D833A3356DAC4A793407DC8AA2D8D8853774F
Reporter JAMESWT_WT
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253355/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.43954.5534.18639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gozi packed ursnif
Link:
https://www.filescan.io/uploads/623833d2b94fb38cb4c1546c/reports/c148d64e-dcb8-41f0-b24d-596f6d438af4/overview
Result
Verdict:
MALICIOUS
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03ea7441-d675-4c0e-8729-3b7a65f40c75
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960855
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Rundll32 performs DNS lookup (likely malicious behavior)
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Remote Thread Created
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593340 Sample: l86WZsZuFv Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 8 other signatures 2->65 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2->11         started        13 iexplore.exe 1 58 2->13         started        15 3 other processes 2->15 process3 dnsIp4 57 interlines.space 7->57 77 Found evasive API chain (may stop execution after checking system information) 7->77 79 Found API chain indicative of debugger detection 7->79 81 Writes or reads registry keys via WMI 7->81 83 Writes registry values via WMI 7->83 17 cmd.exe 1 7->17         started        19 regsvr32.exe 6 7->19         started        23 rundll32.exe 6 7->23         started        29 2 other processes 7->29 31 5 other processes 11->31 25 iexplore.exe 31 13->25         started        27 iexplore.exe 29 13->27         started        33 2 other processes 13->33 35 7 other processes 15->35 signatures5 process6 dnsIp7 37 rundll32.exe 6 17->37         started        41 interlines.space 19->41 67 Writes or reads registry keys via WMI 19->67 69 Writes registry values via WMI 19->69 43 interlines.space 23->43 45 interlines.top 31.41.46.120, 80 ASRELINKRU Russian Federation 25->45 47 interlines.space 31->47 49 linkspremium.ru 62.173.149.135, 49811, 49812, 49815 SPACENET-ASInternetServiceProviderRU Russian Federation 35->49 51 premiumlists.ru 45.128.184.132, 49882, 49883, 49886 MGNHOST-ASRU Russian Federation 35->51 53 2 other IPs or domains 35->53 signatures8 process9 dnsIp10 55 interlines.space 37->55 71 System process connects to network (likely due to code injection or exploit) 37->71 73 Rundll32 performs DNS lookup (likely malicious behavior) 37->73 75 Writes registry values via WMI 37->75 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 02:07:02 UTC
File Type:
PE (Dll)
Extracted files:
7
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rjp6xcyebtgvtjo23spikgndrwwxs6lof4jsrjl3pykofcfpxbq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
+ 504 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7613 banker trojan
Link:
https://tria.ge/reports/220321-j41trsacf8/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
interlines.top
interlines.space
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
e6f3b5857a2da506a0f5470400655fc4011600ae4253bba3dae85f7e6a9be6c2
MD5 hash:
21e836bd521081f8b97c3e5a31822afe
SHA1 hash:
fec35c2a1f2d362356573b25f0dd4a50c7be842e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c9e0a2a4-ba01-44a2-99b7-e46b45d4b933/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
831619fb5a9b21c3cd073a901e05a1a94be2f1db95a71751a4c54d6061d9c117
MD5 hash:
67eb78fba57178ed8a19f1cacb04538d
SHA1 hash:
39bdd27dc35920567861066e286e6f3b1928f07d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c9e0a2a4-ba01-44a2-99b7-e46b45d4b933/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
MD5 hash:
203b91c7b2a358455f5f62a6509cda53
SHA1 hash:
3ace5fbaa20e144a6e81a83ab7bcbe7e71123808
Link:
https://www.unpac.me/results/c9e0a2a4-ba01-44a2-99b7-e46b45d4b933/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253355/

Comments