MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e53caa0529020312a9092b409c2a38d6ddf0c3d2786832a514657ca617df770f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e53caa0529020312a9092b409c2a38d6ddf0c3d2786832a514657ca617df770f
SHA3-384 hash: 3d107f4da1e1386935297e52fd5085becab69fdee18d706e2a46376a86e99c16ec6fcab6f6f5cefda522907a5dc8de46
SHA1 hash: 589e3e955c870821277c7f2ea9f60bc37bbb7825
MD5 hash: 3896aee936d55d53efa5e0d1c2ab817d
humanhash: four-moon-robin-bulldog
File name:60b49bdd63509.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:376'832 bytes
First seen:2021-05-31 08:19:42 UTC
Last seen:2021-05-31 08:48:11 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 33440a0287e1f3d8bfd56dd3109f1807 (1 x Gozi)
ssdeep 6144:OleU+qFT+jVIX9dLtRRCZLP9r/OeAd+gCdnprch:OlegYjuvtnCZj9rP4CZs
Threatray 328 similar samples on MalwareBazaar
TLSH 4084CF1071C1C072C45201BE8505C7685BFEBD609D3A5F4B7BE91ECF9F29AA2AB36352
Reporter JAMESWT_WT
Tags:brt dll Gozi ifsb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163385/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12281.5502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/794567
Signature
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426963 Sample: 60b49bdd63509.dll Startdate: 31/05/2021 Architecture: WINDOWS Score: 64 24 cloudinoren.club 2->24 26 www.redtube.com 2->26 28 18 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 83 2->11         started        signatures3 process4 signatures5 40 Writes or reads registry keys via WMI 8->40 42 Writes registry values via WMI 8->42 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 25 11->19         started        process6 dnsIp7 22 rundll32.exe 13->22         started        30 HHN-efz.ms-acdc.office.com 40.101.137.50, 443, 49741, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 32 outlook.com 40.97.148.226, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->32 34 5 other IPs or domains 19->34 process8
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e53caa0529020312a9092b409c2a38d6ddf0c3d2786832a514657ca617df770f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4u6kubjjaibrfkijfnajykry23o7bq6spbudfjiumv6kmf67o4hq._file
Verdict:
malicious
Similar samples:
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef
Gozi
+ 318 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210531-hv3bhxjgz6/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
roudinoden.club
cloudinoren.club
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e53caa0529020312a9092b409c2a38d6ddf0c3d2786832a514657ca617df770f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163385/

Comments