MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
SHA3-384 hash: 04c883e4ad1996c1189b7fbcc1f4a21e2fe34188fe469ff5e021587bbed3a5948b3807f1fc002f4a6e131ff2753cbba8
SHA1 hash: fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
MD5 hash: 5522c21a05daf91658951bdf1c0e5271
humanhash: jersey-fifteen-saturn-sweet
File name:Processwindo.DLL
Download: download sample
Signature Gozi
Create hunting rule
File size:404'992 bytes
First seen:2021-07-07 12:57:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 789fcca066875e59aafcb5a18bb50d1b (1 x Gozi)
ssdeep 6144:h8vockvtMD67Dvy8CyOuq107KjWMTxdtcrsianUAqPt/MmG3G/GERIgg:SwhtCy50mpMTxdtV8AqPtM3gN
Threatray 629 similar samples on MalwareBazaar
TLSH 49849D003341E436C7E622758F29D6E5671D34A49BB145CF76E86FAF1FAA0E39634382
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170190/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37200498.10085.921.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da9584ca-904b-4683-9e06-72ff492b6ccf
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/812880
Signature
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445292 Sample: Processwindo.DLL Startdate: 07/07/2021 Architecture: WINDOWS Score: 56 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected  Ursnif 2->27 7 loaddll32.exe 1 2->7         started        9 cmd.exe 1 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        21 2 other processes 7->21 17 conhost.exe 9->17         started        19 timeout.exe 9->19         started        process5 23 rundll32.exe 11->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 09:48:02 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nxckgnklqyrosq623absoznbze6t3lmugwad3muwmahwxrpngjq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed
Gozi
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Gozi
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
Gozi
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Gozi
7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4
Gozi
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Gozi
afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
Gozi
be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Gozi
c788a7e6d4c74e709845a01627e3cd7bb596dabbafb75aaf3929315e4b58e3e1
Gozi
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Gozi
+ 619 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210707-vhpr1qb5xj/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
2793f1c57fec62bdf69a20cdda740503cdfc00278c16e73516e96335338524a7
MD5 hash:
557fed1818dec3ab35bf73477d67fda2
SHA1 hash:
0f670f9acaeba6c5da54a7d0bc7f3b55522a01eb
Link:
https://www.unpac.me/results/810c1594-d6f0-44f0-a372-bf6d8cc92e99/
SH256 hash:
eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
MD5 hash:
5522c21a05daf91658951bdf1c0e5271
SHA1 hash:
fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
Link:
https://www.unpac.me/results/810c1594-d6f0-44f0-a372-bf6d8cc92e99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1433306/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170190/
  
URLhaus
https://urlhaus.abuse.ch/url/1434089/

Comments