MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e683390a3c835318f88fce66779c0b424f6097db580aa541ee45e99174130347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e683390a3c835318f88fce66779c0b424f6097db580aa541ee45e99174130347
SHA3-384 hash: b83e70c6baed777e16fd679c57dc40fb0ddbf607e1b27e778d1d45d216432693513e956971489067efc4f24353ac47a3
SHA1 hash: 94f92241acef218e9a9ca287e0ec1ba95416dc91
MD5 hash: a10412b880220330765f842c76631073
humanhash: ohio-louisiana-stream-virginia
File name:securezza.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:276'992 bytes
First seen:2020-09-14 07:43:25 UTC
Last seen:2020-09-14 08:50:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9c84f0aebd796f6d06f5806839a22071 (1 x Gozi)
ssdeep 6144:GAucT2nDFsip3Ux4o61mqa+kfTSKE6hnKu:GAenD1Eqo61Az7SKhD
Threatray 638 similar samples on MalwareBazaar
TLSH 0044BE40F690C034D85F02368D28C8FE5A797E96CEE8A96777D81F4FB6753A04634B62
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
4
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58964/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/465085
Signature
Creates a COM Internet Explorer object
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284952 Sample: securezza.dll Startdate: 14/09/2020 Architecture: WINDOWS Score: 68 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Yara detected  Ursnif 2->36 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 38 Writes or reads registry keys via WMI 10->38 40 Writes registry values via WMI 10->40 42 Creates a COM Internet Explorer object 10->42 15 iexplore.exe 13 91 13->15         started        process6 process7 17 iexplore.exe 5 163 15->17         started        20 iexplore.exe 29 15->20         started        22 iexplore.exe 31 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49756, 49757 FASTLYUS United States 17->24 26 geolocation.onetrust.com 104.20.185.68, 443, 49744, 49745 CLOUDFLARENETUS United States 17->26 32 9 other IPs or domains 17->32 28 pop5334.yahoo.com 20->28 30 web.fromtheeast.org 89.111.132.22, 49792, 49793, 49794 RU-CENTERRU Russian Federation 22->30
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e683390a3c835318f88fce66779c0b424f6097db580aa541ee45e99174130347/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 07:42:47 UTC
File Type:
PE (Dll)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
346b977e05b99881c7ec168c2fa0b68f84ec633d764eb52dd9795e372f45b1b4
Gozi
34fd926b213a1c5726124dff74dbf69c731f8e823168d17cc1c9448501ed314f
Gozi
3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18
Gozi
577423ddac7ca6f9b623e528452e4455015d71aa690d44a026c40c6dcaad9569
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
7398048e3cb424344def184f417b3cbfa1451bf0fa8219c875be0f195468c46d
Gozi
a1a6e3603e050afbe4bd74f714f4bfc69f9f7ff51fc7e6e890a1eab04ccf1737
Gozi
c85d0da5fe543408376ed6c916d5e498aadc0b5f75be0ddc59a4efe3da5fff07
Gozi
e3b9e0c9c3637a620a1fd51cf8bcf63bfe988193fc18fa7eb7a4d19e3b9ee467
Gozi
f53226476a8190fb69a366544e4f394e50e487c429977165a5efdd9e1dbec83e
Gozi
+ 628 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/200914-8jt5fxj7nj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e683390a3c835318f88fce66779c0b424f6097db580aa541ee45e99174130347

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58964/

Comments