MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
SHA3-384 hash: 17c70221bf294c4396b26acaf84a173434c900b09958b3cbae7bc3b27b27cf0da41004b2d750170d77731af9c9bf68c7
SHA1 hash: 7d0b946bfa133ec9c10cb1cca0007139597b2011
MD5 hash: 3bd94cd9d5af80967956a0c2789bf180
humanhash: speaker-echo-nuts-yellow
File name:0pz1on1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:552'448 bytes
First seen:2020-11-19 08:29:28 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 18cb5c18face4302b794af9a2931a4bc (7 x Dridex, 1 x Gozi)
ssdeep 1536:Ab4BFsd/uqUfnLwBH+AwDD41UPY1NvFQJZWBte:AbkFq/uqUfnbHqtQ+Bg
Threatray 93 similar samples on MalwareBazaar
TLSH 12C4EE06FCA70E5BD623127B24C660406D0EDC8C5F48E487B3A6F67495B73F46DE826A
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/542523
Signature
Creates a COM Internet Explorer object
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320364 Sample: 0pz1on1.dll Startdate: 19/11/2020 Architecture: WINDOWS Score: 80 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected  Ursnif 2->32 34 Machine Learning detection for sample 2->34 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 50 2->9         started        11 iexplore.exe 1 50 2->11         started        13 2 other processes 2->13 process3 signatures4 36 Writes or reads registry keys via WMI 6->36 38 Writes registry values via WMI 6->38 40 Creates a COM Internet Explorer object 6->40 15 iexplore.exe 31 9->15         started        18 iexplore.exe 25 11->18         started        20 iexplore.exe 36 13->20         started        22 iexplore.exe 32 13->22         started        process5 dnsIp6 24 billinglines.com 195.110.58.42, 49731, 49732, 80 AS-HOSTINGERLT Lithuania 15->24 26 ocsp.sca1b.amazontrust.com 143.204.15.36, 49749, 49750, 80 AMAZON-02US United States 18->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 08:28:21 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2
Gozi
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
Gozi
d5ba4c77ca4813a76ceb6be5203a3c3d713e043e82cf80a7aab0d92b28f71a64
Gozi
defd6d5bb8cd5cbd01d7e805d2b0ae7d36a12da501e3dafd9a46baded1fe402d
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 83 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:ursnif banker trojan
Link:
https://tria.ge/reports/201119-lw4gbgwzes/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Gozi, Gozi IFSB
Ursnif, Dreambot
Unpacked files
SH256 hash:
e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
MD5 hash:
3bd94cd9d5af80967956a0c2789bf180
SHA1 hash:
7d0b946bfa133ec9c10cb1cca0007139597b2011
Link:
https://www.unpac.me/results/171f1b05-6182-4971-bcca-44a43edbf07a/
SH256 hash:
2e44ea6127a7e51860a7af30a7bb73f92c59785e36cc814cf299e00862dd3412
MD5 hash:
efc8ab3f750c081256008c312f5fc01c
SHA1 hash:
469ff8a0615e733378113004eecde5e22a58f68a
Link:
https://www.unpac.me/results/171f1b05-6182-4971-bcca-44a43edbf07a/
SH256 hash:
c9c0beef3d58904833358a0961341bb091c3e528617a4fc3af4bddf8125b5963
MD5 hash:
7c32acc73677b8b90b1b4b1274c7f2c6
SHA1 hash:
d45258840b421ec1e117c221bb103d3c34225464
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/171f1b05-6182-4971-bcca-44a43edbf07a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/831344/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/831338/
  
URLhaus
https://urlhaus.abuse.ch/url/831345/
  
URLhaus
https://urlhaus.abuse.ch/url/831337/

Comments