MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
SHA3-384 hash: b6208d77a5036ae705f9e18c163c3c575efc97b84ab6ccb8ce8445f131852e8a994022a000d1fed43b5138bd7a3151e8
SHA1 hash: 5eb3be88abb84f63e04c92bc3e35a82a01689971
MD5 hash: 9a453cc31ebfca29d8df565258fbf8ce
humanhash: comet-twenty-india-south
File name:9a453cc31ebfca29d8df565258fbf8ce.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:662'688 bytes
First seen:2021-10-08 04:40:55 UTC
Last seen:2021-10-08 06:10:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8d2de2ae605a2294ac6efde10e33795a (2 x Gozi)
ssdeep 12288:6vWBEPfqPoo44cvquI2Pg/8wsPrcPgIDU1Iu3vEI8Vck+5gS2oQkoKeyFtseQOYc:6v5Pbo4ZgaPrOpI1IkvIVc1qDoQko/yz
TLSH T19DE430443A54F510E6AD6972CF2AC5F907157D09EFF1B48B78E03E1F2AAE8A3D516302
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
818
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196020/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.835.25462.32389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/615fcbdf98a6280f3934362d/reports/bb2e4a44-5481-4980-b8fc-c3aa42aa2730/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14a2921f-d364-4c40-87ff-63b8ad968ab1
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866839
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: Encoded IEX
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell run code from registry
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499264 Sample: uT9rwkGATJ.dll Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Sigma detected: Powershell run code from registry 2->106 108 Yara detected  Ursnif 2->108 110 9 other signatures 2->110 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 2->15         started        process3 dnsIp4 130 Suspicious powershell command line found 9->130 17 powershell.exe 30 9->17         started        98 outlook.com 40.97.156.114, 443, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->98 100 HHN-efz.ms-acdc.office.com 52.97.151.18, 443, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->100 102 7 other IPs or domains 12->102 132 Writes to foreign memory regions 12->132 134 Writes or reads registry keys via WMI 12->134 136 Writes registry values via WMI 12->136 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 80 C:\Users\user\AppData\...\uio4qdnj.cmdline, UTF-8 17->80 dropped 112 Injects code into the Windows Explorer (explorer.exe) 17->112 114 Writes to foreign memory regions 17->114 116 Modifies the context of a thread in another process (thread injection) 17->116 31 explorer.exe 17->31 injected 34 csc.exe 17->34         started        37 csc.exe 17->37         started        39 conhost.exe 17->39         started        41 rundll32.exe 21->41         started        118 System process connects to network (likely due to code injection or exploit) 23->118 120 Writes registry values via WMI 23->120 44 rundll32.exe 25->44         started        122 Maps a DLL or memory area into another process 27->122 124 Creates a thread in another existing process (thread injection) 27->124 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 138 Changes memory attributes in foreign processes to executable or writable 31->138 140 Self deletion via cmd delete 31->140 142 Writes to foreign memory regions 31->142 146 5 other signatures 31->146 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 82 C:\Users\user\AppData\Local\...\uio4qdnj.dll, PE32 34->82 dropped 59 cvtres.exe 34->59         started        84 C:\Users\user\AppData\Local\...\hjljqxud.dll, PE32 37->84 dropped 61 cvtres.exe 37->61         started        90 40.101.9.178, 443, 49765 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->90 92 40.97.160.2, 443, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->92 94 10 other IPs or domains 41->94 144 System process connects to network (likely due to code injection or exploit) 41->144 63 control.exe 41->63         started        86 C:\Users\user\AppData\Local\...\hiiw3gsl.dll, PE32 46->86 dropped 65 cvtres.exe 46->65         started        88 C:\Users\user\AppData\Local\...\ebytp2em.dll, PE32 48->88 dropped 67 cvtres.exe 48->67         started        file11 signatures12 process13 signatures14 126 Uses ping.exe to sleep 52->126 128 Uses ping.exe to check the status of other devices and networks 52->128 69 conhost.exe 52->69         started        71 PING.EXE 52->71         started        73 PING.EXE 55->73         started        76 conhost.exe 55->76         started        78 rundll32.exe 63->78         started        process15 dnsIp16 96 192.168.2.1 unknown unknown 73->96
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 04:41:04 UTC
File Type:
PE (Dll)
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lwzi7qe5v3ft652ekd6nfs3fqewaa22uu43k6u7tykvasqbzifa._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2525 banker trojan
Link:
https://tria.ge/reports/211008-fa5dbadca8/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
zereunrtol.website
xereunrtol.website
Unpacked files
SH256 hash:
ef72cfbd00bc1ab256a90087fe1391b4c9ed8d4755ea7010dc8b7bcac895f33b
MD5 hash:
3c86773ecbe4102315c2a76478fc82e6
SHA1 hash:
a452a07d4599172fa77a6a4c251af97279e2f117
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4e47cf6-88cb-4dd3-80df-0b399c8c751a/
Parent samples :
424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee
eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
SH256 hash:
b024ea56ef6ad96f5b69aaedb4ff900973965fe852683b463ded82c055f34cdf
MD5 hash:
025e90770a1ad0fd4813bb98ad8388f2
SHA1 hash:
2914dd6b0723eeb71aaadf42a9d612517b8b3b0f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4e47cf6-88cb-4dd3-80df-0b399c8c751a/
SH256 hash:
eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
MD5 hash:
9a453cc31ebfca29d8df565258fbf8ce
SHA1 hash:
5eb3be88abb84f63e04c92bc3e35a82a01689971
Link:
https://www.unpac.me/results/b4e47cf6-88cb-4dd3-80df-0b399c8c751a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196020/

Comments