MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
SHA3-384 hash: ce0e55fcbf8316b78049c44890ef9f8e6b5031875003a11c258bdfcf55e6fe0f0523dd0da787fcb8a7410994f085cdb4
SHA1 hash: a83e77da3c1c2ae001bd826a8e1bb4b6aa03b1c0
MD5 hash: 2dada3d358b69addb0557cf821335f35
humanhash: nuts-robert-lithium-don
File name:2dada3d358b69addb0557cf821335f35.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:173'568 bytes
First seen:2021-02-28 08:43:40 UTC
Last seen:2021-02-28 10:48:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dd77e7157301149249e93a10e393349 (2 x Gozi, 1 x SystemBC)
ssdeep 3072:79mf8aENUYtyLIm6yHDF7Y5TzM7Z09YY3+iE1nBQvBPC42lJeS:7YhEdtyLIm6gDF7Y5TzMu9du1aEe
TLSH D304AD317591C033E45311745AE5C2F59A2BB8B11BAAAAC7BBC40B2D5F713F2DA36342
Reporter abuse_ch
Tags:exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2dada3d358b69addb0557cf821335f35.exe
Verdict:
No threats detected
Analysis date:
2021-02-28 08:49:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e676c90e-2736-46fa-aaa4-d904e152fd04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119997/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.73232.5860.31515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/620871
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359428 Sample: NZrcLZZ3EI.exe Startdate: 28/02/2021 Architecture: WINDOWS Score: 92 27 Multi AV Scanner detection for domain / URL 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected  Ursnif 2->31 33 Machine Learning detection for sample 2->33 6 NZrcLZZ3EI.exe 2->6         started        9 iexplore.exe 1 50 2->9         started        11 iexplore.exe 1 73 2->11         started        14 iexplore.exe 1 50 2->14         started        process3 dnsIp4 35 Detected unpacking (changes PE section rights) 6->35 37 Detected unpacking (overwrites its own PE header) 6->37 39 Writes or reads registry keys via WMI 6->39 41 Writes registry values via WMI 6->41 16 iexplore.exe 31 9->16         started        25 192.168.2.1 unknown unknown 11->25 19 iexplore.exe 35 11->19         started        21 iexplore.exe 32 14->21         started        signatures5 process6 dnsIp7 23 darwikalldkkalsld.xyz 16->23
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-28 08:44:06 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46e3olrbmdj4khtkxcojtwf3cb27hahyoxukpp6i3lra57z6qoea._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6565 banker trojan
Link:
https://tria.ge/reports/210228-a8ml23n71a/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
updates.microsoft.com
klounisoronws.xyz
darwikalldkkalsld.xyz
c1.microsoft.com
ctldl.windowsupdate.com
195.123.209.122
185.82.218.23
5.34.183.180
bloombergdalas.xyz
groovermanikos.xyz
kadskasdjlkewrjk.xyz
Unpacked files
SH256 hash:
ba63c14d0972a3bed8b8813954b4ddeaa8ef733afac9ed3a86372bfc87a2aa97
MD5 hash:
01bbf9a59beeb52288bdec21980db6e7
SHA1 hash:
ca85f5df9b2572f5a1606eeabee646dc871a9712
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f5439bb3-a938-4f26-8b38-52f7f2bbc606/
Parent samples :
77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
33b931c8f19d3ef8b354cc7ca24ebfbb2cdf2b83e5717b1dd7c81cef80238591
9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507
SH256 hash:
2ac8620b1de4794b94b38a4553ab67a18d46619c21ce92ee6ab73817c3d358bf
MD5 hash:
56de81fec324795547e2d141a0b1f3f4
SHA1 hash:
76818e6af68e7483174bc0e44922c03c4b6bfdd7
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f5439bb3-a938-4f26-8b38-52f7f2bbc606/
SH256 hash:
f35ac91b3c86e70da0367ff59614d036509035f4ffc33d356f5859f016ce19f6
MD5 hash:
795432234e2e7983d1a3d81daa9e873e
SHA1 hash:
12b774690d914da18a9f719ea368eb88bfc1caa8
Link:
https://www.unpac.me/results/f5439bb3-a938-4f26-8b38-52f7f2bbc606/
SH256 hash:
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
MD5 hash:
2dada3d358b69addb0557cf821335f35
SHA1 hash:
a83e77da3c1c2ae001bd826a8e1bb4b6aa03b1c0
Link:
https://www.unpac.me/results/f5439bb3-a938-4f26-8b38-52f7f2bbc606/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1030978/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119997/

Comments