MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
SHA3-384 hash: cb9adc3e58266e3b2280725ac56b05cfc273aade6990d3f198e1c0759542c249b86e9fd73ba984abc9e6e52b834ae333
SHA1 hash: 5a64fc794c133a525ea70e06ce335a7b238db2f4
MD5 hash: 5adbb59a4def2a9bfd37e3e0aebbed1d
humanhash: lake-lake-zebra-freddie
File name:619b721d39f71.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:134'656 bytes
First seen:2021-11-22 10:35:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4c89e39b5ebc619c69b957c6b4f65780 (6 x Gozi)
ssdeep 3072:LvOaXNXxXqpTzj3Ec0dFP37Gw4nsGyTbP0/8WukDtY:znQzq7esGyXPJMDtY
Threatray 493 similar samples on MalwareBazaar
TLSH T16DD3BF4176D0C8B0D2FE2E356874A2A59A3EF9150FD14DE72B9A11394F205C1FA36E3E
Reporter JAMESWT_WT
Tags:dll enel EnelEnergia Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
621
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/619b7295398e2553d200af11/reports/1bc48743-0b53-4a97-977b-e1323e27191b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43e13fa1-fc78-4f4a-8b1b-70fb1b3fbd66
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/893723
Signature
Found malware configuration
Potentially malicious time measurement code found
Tries to detect virtualization through RDTSC time measurements
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526201 Sample: 619b721d39f71.dll Startdate: 22/11/2021 Architecture: WINDOWS Score: 64 31 Found malware configuration 2->31 33 Yara detected  Ursnif 2->33 7 loaddll32.exe 1 2->7         started        process3 signatures4 37 Tries to detect virtualization through RDTSC time measurements 7->37 39 Potentially malicious time measurement code found 7->39 10 regsvr32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 iexplore.exe 1 73 7->15         started        17 3 other processes 7->17 process5 signatures6 41 Tries to detect virtualization through RDTSC time measurements 10->41 43 Potentially malicious time measurement code found 10->43 19 rundll32.exe 13->19         started        22 iexplore.exe 2 148 15->22         started        process7 dnsIp8 35 Tries to detect virtualization through RDTSC time measurements 19->35 25 btloader.com 104.26.7.139, 443, 49805, 49806 CLOUDFLARENETUS United States 22->25 27 www.msn.com 22->27 29 6 other IPs or domains 22->29 signatures9
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 10:37:01 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0570fd54d98349e62675cf1e53aa2197ed6c0df811350bfae9f64196b0a49278
Gozi
210943dc00e09514fe7d9a433596e78a21d7eb3bf3537b7e8327b985c8ad7d4d
Gozi
2f4d76314a00fb7a8047fcdd3ee26c39d2a550cde356d35ae517631392a66e8a
Gozi
4ddacac68fd062781fece1e92b3f1682d49fe23fc812e721c330f25237f4c20f
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
Gozi
e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0
Gozi
f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Gozi
fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Gozi
+ 483 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211122-mm81laacd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a98563af81949a6f5268994c523cad9c7ef028418e4fc84d446a021382e6e14c
MD5 hash:
cdf3bdc294b699f25b8d6ff8c1a2171e
SHA1 hash:
bd28cb6aa90934cbaf6fd52c68271c4f4fffbb60
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ffc5ad10-2330-4d1e-881b-167e95e10b6b/
Parent samples :
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
b82a1d06e5650808ae0b9ef1a77cc6047ca0601b13a9afa8cded17a93e27cda9
bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
43440e9a6d2d0a68b84f7885fda26748fa86de6ca709a883959e2640f3f706bf
5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
450a436cf830b03533a2ce0d8d40724d61c8b0e5f8164413c05d2c870b4ba8eb
SH256 hash:
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
MD5 hash:
5adbb59a4def2a9bfd37e3e0aebbed1d
SHA1 hash:
5a64fc794c133a525ea70e06ce335a7b238db2f4
Link:
https://www.unpac.me/results/ffc5ad10-2330-4d1e-881b-167e95e10b6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208091/

Comments