MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35
SHA3-384 hash: 266ee6d6092149286d1db777553e414860b8399290d5329b8de14f14e79fd6f54a2f9e0ba929c276ed08348cea9ba714
SHA1 hash: db92c0a81e8b27d222607e093ccc9d00485db119
MD5 hash: 85fa54c2a97ad3a1f8bd64af62450511
humanhash: jupiter-failed-item-quebec
File name:Zeip.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:606'208 bytes
First seen:2023-01-23 21:56:21 UTC
Last seen:2023-01-26 01:04:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 78b4b07ec49eab1076c53a1a1cf86078 (1 x Gozi)
ssdeep 12288:cysmuJC4fktsdyjJGL44Clz8JwsWydYo9NRl:cT7IoyjXTKdlnz
Threatray 3'534 similar samples on MalwareBazaar
TLSH T152D41269D55748F3CBB112B2C0CEBE763EA1AD951B063ACF3847D4825985CD07EB6B02
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
4
# of downloads :
211
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356147/
Result
Verdict:
Malware
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed setupapi.dll
Link:
https://www.filescan.io/uploads/63cf02af2b351a3d0ea7fff3/reports/adf02787-5360-401f-81f6-e6f229fafeb7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/875020b5-3494-46f6-8885-2e9a6243d3c8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157461
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yeysszhjjwef2lr5aecv6h5cz5n4sxplundqfwvvtvaja47bm2q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
54e1a7dc75b550786afcb0601020a2c50739347541cc8cb969acf76b90222458
Gozi
5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
Gozi
86a8a3bcc0a4753d4b21de458d5750af3e9e6301c58e6449404488ff873982a0
Gozi
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
Gozi
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
Gozi
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
Gozi
+ 3'524 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:20005 banker isfb trojan
Link:
https://tria.ge/reports/230123-1tw69shc6x/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
trackingg-protectioon.cdn4.mozilla.net
80.77.23.77
80.77.25.109
protectioon.cdn4.mozilla.net
170.130.165.182
80.77.25.114
Unpacked files
SH256 hash:
51dbde82611ae20570bbebe9e83d045af6793edbb2272fcc131e1b8bf037e234
MD5 hash:
0b736ea2c926fbfa8cc4503a2abbba0c
SHA1 hash:
11b6de90b197d52d806a87650668a4b38614be6e
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2a2bdd4-6d6a-4009-9981-0cbbfe0efd59/
SH256 hash:
747396d2e454b2d28edf54df8fd515658ba0221fca60688e538c2169a11aba3b
MD5 hash:
2d2f8c54cf68fde3673b7821bfcd8538
SHA1 hash:
0d54bba8ac69d5c2d3ceb13f3cbfdcb07ef83295
Link:
https://www.unpac.me/results/b2a2bdd4-6d6a-4009-9981-0cbbfe0efd59/
SH256 hash:
e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35
MD5 hash:
85fa54c2a97ad3a1f8bd64af62450511
SHA1 hash:
db92c0a81e8b27d222607e093ccc9d00485db119
Link:
https://www.unpac.me/results/b2a2bdd4-6d6a-4009-9981-0cbbfe0efd59/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e609894b274a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/356147/

Comments