MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
SHA3-384 hash: 836d9eb15466d4dedc37506429bfd1328c1bf6140f12c595425b8ed3656744acd7fc6d87b1af3fc8979a0d15a09fcf9c
SHA1 hash: bd34e4d57bfc1938ebc93d8f404dbe7e019db0cf
MD5 hash: a17de50fcd71c572f423c943f926c2a9
humanhash: solar-steak-vegan-charlie
File name:6.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:516'096 bytes
First seen:2021-08-23 12:39:07 UTC
Last seen:2021-08-23 17:53:38 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 241e3141afa42b2aa84ab0b3655f0b1e (1 x Gozi)
ssdeep 12288:B7wAjlh98sQ73RBgy6aqGT8jSXxhYb/iWVEJ10mVSV/+K/BCz7uW:B7wAQsQ735TYb/qhVSk3
Threatray 476 similar samples on MalwareBazaar
TLSH T16EB46C027A93E024E5F952F94FB1C6D8A71D79224B6850CFB5F43AAF0F285E39831356
Reporter James_inthe_box
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'817
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181499/
Detection(s):
SecuriteInfo.com.generic.ml.17821.28762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/011dd2c3-36b3-415c-a4d6-c602be929e27
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/837523
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe/
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 12:39:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Gozi
62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Gozi
a5e4df4eb5cde68b4fa36dffdfe687ce95b926ac3761cb5b13f5fa886991ba24
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Gozi
fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Gozi
+ 466 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210823-5x97kmb37j/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
xaaorunokee.site
taaorunokee.site
Unpacked files
SH256 hash:
cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
MD5 hash:
6eb6ef0ed1b8b345412f9545571042e2
SHA1 hash:
b9a1945c04610ae72265c5da6ccfe29ca1a4c52e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/88a1e642-34ea-424d-b337-b9075bf3eb66/
Parent samples :
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
SH256 hash:
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
MD5 hash:
a17de50fcd71c572f423c943f926c2a9
SHA1 hash:
bd34e4d57bfc1938ebc93d8f404dbe7e019db0cf
Link:
https://www.unpac.me/results/88a1e642-34ea-424d-b337-b9075bf3eb66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/181499/

Comments