MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
SHA3-384 hash: 30cb470534e56d3db093d02617394d5d7a744add401ddb67d984d15fb458e3d858746504b5020eed72bb4aab3154646e
SHA1 hash: 9a642c22ebc19f4f8063b5ae986843916309b95a
MD5 hash: a3aa691bc97faf6f17eec0841b5ff730
humanhash: carpet-louisiana-tennessee-johnny
File name:a3aa691bc97faf6f17eec0841b5ff730.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'094'144 bytes
First seen:2021-04-18 07:37:11 UTC
Last seen:2021-04-18 08:53:44 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 311eb3276aa89abb7c1fb493855050ac (1 x Gozi)
ssdeep 24576:yM7rd0PBLf2gYwRIHC/0D5XKt2XsCxpZw4p:mEIMD5X/8Y8
Threatray 443 similar samples on MalwareBazaar
TLSH 2235AED23FA38C56F96E2B3518175051EE167EB88F38B3CF2DC915CA052D58B8EB0616
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137532/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.35525.26699.20941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a browser process
Creating a window
Creating a process with a hidden window
Setting browser functions hooks
Deleting of the original file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/684615
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 391256 Sample: o0AX0nKiUn.dll Startdate: 18/04/2021 Architecture: WINDOWS Score: 100 54 222.222.67.208.in-addr.arpa 2->54 56 resolver1.opendns.com 2->56 58 myip.opendns.com 2->58 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 9 other signatures 2->92 10 loaddll32.exe 3 2->10         started        signatures3 process4 signatures5 112 Writes to foreign memory regions 10->112 114 Modifies the context of a thread in another process (thread injection) 10->114 116 Maps a DLL or memory area into another process 10->116 118 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->118 13 control.exe 1 10->13         started        16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        process6 signatures7 126 Changes memory attributes in foreign processes to executable or writable 13->126 128 Injects code into the Windows Explorer (explorer.exe) 13->128 130 Writes to foreign memory regions 13->130 136 4 other signatures 13->136 20 explorer.exe 7 8 13->20 injected 24 rundll32.exe 13->24         started        26 rundll32.exe 3 3 16->26         started        132 Detected Gozi e-Banking trojan 18->132 134 Uses nslookup.exe to query domains 18->134 28 nslookup.exe 18->28         started        30 conhost.exe 18->30         started        process8 dnsIp9 60 shoshanna.at 87.106.18.141, 49718, 49728, 80 ONEANDONE-ASBrauerstrasse48DE Germany 20->60 62 192.168.2.1 unknown unknown 20->62 94 System process connects to network (likely due to code injection or exploit) 20->94 96 Tries to steal Mail credentials (via file access) 20->96 98 Changes memory attributes in foreign processes to executable or writable 20->98 110 3 other signatures 20->110 32 rundll32.exe 20->32         started        35 rundll32.exe 20->35         started        37 cmd.exe 20->37         started        41 8 other processes 20->41 100 Writes to foreign memory regions 26->100 102 Allocates memory in foreign processes 26->102 104 Modifies the context of a thread in another process (thread injection) 26->104 106 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->106 39 control.exe 2 1 26->39         started        64 222.222.67.208.in-addr.arpa 28->64 66 resolver1.opendns.com 28->66 68 myip.opendns.com 28->68 108 May check the online IP address of the machine 28->108 signatures10 process11 signatures12 70 Writes to foreign memory regions 32->70 72 Allocates memory in foreign processes 32->72 74 Modifies the context of a thread in another process (thread injection) 32->74 43 rundll32.exe 32->43         started        46 rundll32.exe 35->46         started        76 Uses nslookup.exe to query domains 37->76 78 Changes memory attributes in foreign processes to executable or writable 39->78 80 Injects code into the Windows Explorer (explorer.exe) 39->80 82 Maps a DLL or memory area into another process 39->82 84 Creates a thread in another existing process (thread injection) 39->84 48 rundll32.exe 39->48         started        50 conhost.exe 41->50         started        52 conhost.exe 41->52         started        process13 signatures14 120 Modifies the context of a thread in another process (thread injection) 43->120 122 Maps a DLL or memory area into another process 43->122 124 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 43->124
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nrz5hkf5vguz6irdfnx55j5mgex3whye3cuflsbdbkn33b25kdq._file
Verdict:
malicious
Similar samples:
09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
Gozi
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
2b8c7b7112e8070d01b2f977c360772e05704fff1838bf124780b9c8b699f337
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
4080ff8f402587476926487e628103c97d0519f65f4d3222b152507e60816059
Gozi
71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Gozi
823d3e4a009254382cf9401cffddeb21e5be60ab5bb283ad325734c8c14cd695
Gozi
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
Gozi
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
Gozi
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
Gozi
+ 433 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1000 banker persistence trojan
Link:
https://tria.ge/reports/210418-at7b49647s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
http://ey7kuuklgieop2pq.onion
http://shoshanna.at
http://buismashallah.at
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137532/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 08:04:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0052] File System Micro-objective::Writes File
4) [C0040] Process Micro-objective::Allocate Thread Local Storage
5) [C0043] Process Micro-objective::Check Mutex
6) [C0041] Process Micro-objective::Set Thread Local Storage Value
7) [C0018] Process Micro-objective::Terminate Process