MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126
SHA3-384 hash: 52ec85627dd65c65399693d652d89c4da1bd277b063c715a3607a198bc6fa25e4cff8f1c5a74c9494ec5fef5ac3d79f9
SHA1 hash: c4d359789bdc0066f2ca4b4e383cb18a5d8d2f7f
MD5 hash: 5d600596afcd9e9ee6767ca449257581
humanhash: oven-massachusetts-speaker-moon
File name:SecuriteInfo.com.Win32.Kryptik.HJSQ.12709.32696
Download: download sample
Signature Gozi
Create hunting rule
File size:202'240 bytes
First seen:2021-03-16 08:50:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 018e55ae3f151d4568e9b73f76c961f3 (1 x Gozi)
ssdeep 3072:I1q8ifKGVRxu/xoTiTgn43h+1vNYduj8pyA97Vu1IYJ6PV:Ig8iiGzx2oThNYYj47Qu
TLSH E914BE00B255C4B3E136847ADC52C6FD5BE93C40CF789D63BAD52F2FBE6B1809A25122
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Kryptik.HJSQ.12709.32696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a91a219-1e26-4b74-b395-b1e1c7ad750e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640483
Signature
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369217 Sample: SecuriteInfo.com.Win32.Kryp... Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 54 8.8.8.8.in-addr.arpa 2->54 56 1.0.0.127.in-addr.arpa 2->56 58 3 other IPs or domains 2->58 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 9 other signatures 2->76 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 78 Suspicious powershell command line found 9->78 14 powershell.exe 9->14         started        18 regsvr32.exe 2 12->18         started        20 cmd.exe 1 12->20         started        22 rundll32.exe 12->22         started        process6 file7 50 C:\Users\user\AppData\Local\...\igqmbeqc.0.cs, UTF-8 14->50 dropped 52 C:\Users\user\AppData\...\3q3gcpph.cmdline, UTF-8 14->52 dropped 80 Modifies the context of a thread in another process (thread injection) 14->80 82 Maps a DLL or memory area into another process 14->82 84 Compiles code for process injection (via .Net compiler) 14->84 86 Creates a thread in another existing process (thread injection) 14->86 24 csc.exe 14->24         started        27 csc.exe 14->27         started        29 conhost.exe 14->29         started        88 Writes or reads registry keys via WMI 18->88 90 Writes registry values via WMI 18->90 31 iexplore.exe 2 95 20->31         started        signatures8 process9 file10 46 C:\Users\user\AppData\Local\...\3q3gcpph.dll, PE32 24->46 dropped 33 cvtres.exe 24->33         started        48 C:\Users\user\AppData\Local\...\igqmbeqc.dll, PE32 27->48 dropped 35 cvtres.exe 27->35         started        37 iexplore.exe 153 31->37         started        40 iexplore.exe 29 31->40         started        42 iexplore.exe 29 31->42         started        44 4 other processes 31->44 process11 dnsIp12 60 img.img-taboola.com 37->60 62 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49727, 49728 FASTLYUS United States 37->62 68 8 other IPs or domains 37->68 64 api10.laptok.at 35.189.93.117, 49749, 49750, 49751 GOOGLEUS United States 40->64 66 192.168.2.1 unknown unknown 44->66
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-16 07:43:52 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nosdmshw5kssvwz5uc56lpa6ntigxnts56bqki3mx63q5ujoeta._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3300 banker trojan
Link:
https://tria.ge/reports/210316-4cthsmzpys/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Unpacked files
SH256 hash:
5b5e1d0322e115318cef7a63555e89b01e252a6df6306ae9b87f82316192a577
MD5 hash:
b43b41fae1dcdfbd8baaed5818063e50
SHA1 hash:
4213941c4d5ce130bb30583e9b10993670186e00
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e70fbfad-4d37-4a07-98db-5deff202c841/
Parent samples :
440157f39cb4231bc339eb6c862cbaa8185fef1e3178775d6f09ae0a22948e25
eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126
SH256 hash:
eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126
MD5 hash:
5d600596afcd9e9ee6767ca449257581
SHA1 hash:
c4d359789bdc0066f2ca4b4e383cb18a5d8d2f7f
Link:
https://www.unpac.me/results/e70fbfad-4d37-4a07-98db-5deff202c841/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll eb5d21b247b7552956d9ed05df2de0f366835db3977c18291b65fdb876897126

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1070382/
  
Delivery method
Distributed via web download

Comments