MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
SHA3-384 hash: c3e731003fe6f6825f982e40c58107f5e58da52b27f50d9610919832c7a86259fc3bda525fe17f30f0bf844054282581
SHA1 hash: 2c8f8c7649ee28290bbe81b00407f98abbd70f79
MD5 hash: fd2ed8abfecd55a3dbf2214677dfa1e8
humanhash: oregon-grey-illinois-minnesota
File name:contatti.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:288'880 bytes
First seen:2021-03-02 08:05:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 401fec9c3d4f60ae25797b845d590d02 (1 x Gozi)
ssdeep 3072:thLwrFiuSFscSYHH4BKfg67z3CMwAJg2fjtxrkn5pa7rcQZS3HMqlkltfKi3jIWb:nYRY+OIATCi3juBW3nxYZI
Threatray 53 similar samples on MalwareBazaar
TLSH EB546EE6669041B6E1C393F1F4B137B0DDC6CBBAF77823571386BA72DA604A0C295D09
Reporter JAMESWT_WT
Tags:dll Gozi isfb italy signed Ursnif vodafone

Code Signing Certificate

Organisation:Kaspersky Lab
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-03-08T00:00:00Z
Valid to:2011-03-08T23:59:59Z
Serial number: 07be8f83f4455021f4e24fb021fca24a
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: bac4c0d47deb8fc2cfea50cd56e2091b5d4c597a032ed5791b42061b8181df18
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
contatti.jpg.dll
Verdict:
No threats detected
Analysis date:
2021-03-02 08:26:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b403476-4a77-49f9-96f6-818187d99139

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120854/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24340.8856.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/623505
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360743 Sample: contatti.jpg.dll Startdate: 02/03/2021 Architecture: WINDOWS Score: 96 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected  Ursnif 2->42 44 4 other signatures 2->44 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 rundll32.exe 8->13         started        15 cmd.exe 1 8->15         started        signatures5 46 Writes or reads registry keys via WMI 10->46 48 Writes registry values via WMI 10->48 17 iexplore.exe 1 86 15->17         started        process6 process7 19 iexplore.exe 152 17->19         started        22 iexplore.exe 17->22         started        24 iexplore.exe 17->24         started        26 2 other processes 17->26 dnsIp8 28 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49756, 49757 FASTLYUS United States 19->28 30 geolocation.onetrust.com 104.20.185.68, 443, 49742, 49743 CLOUDFLARENETUS United States 19->30 36 8 other IPs or domains 19->36 32 ocsp.sca1b.amazontrust.com 13.224.194.189, 49785, 49786, 80 AMAZON-02US United States 22->32 34 13.224.194.127, 49789, 49790, 80 AMAZON-02US United States 24->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-03-02 08:04:31 UTC
File Type:
PE (Dll)
Extracted files:
10
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5o335gbrxoj4jw5xebl44zdxshxfh432naceg6j5m7ggudm3x5pa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2b008fe5818667b064573889db6500c245bddeb65c37facd260fea09e9801eae
Gozi
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
Gozi
472c6d7282d5ad1ea6b8aa3e66fd0b42c1ccf6086a33e16cbab93f423203e4d4
Gozi
802033992634317b28a736038b41e264727819a1fd76770e28dd5931779a8833
Gozi
8df914f790a6e5eb07042cce36ea9a23e23cdc1610d930f306f9ef55b6d8a2c5
Gozi
9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
Gozi
b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
Gozi
bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9
Gozi
f7522ebb3f0746e829a7ff61d83b8d956bf6700697208589c0282af453fb7732
Gozi
ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7
Gozi
+ 43 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7253 banker trojan
Link:
https://tria.ge/reports/210302-8rj3zfmje2/
Behaviour
Modifies Internet Explorer Phishing Filter
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
web.vortex.data.microsoft.com
ocsp.sca1b.amazontrust.com
stasecrets.com
Unpacked files
SH256 hash:
b6b2c663597d770cdbaf44cd5b81a1d8298a21efc15f8ec380e831036954db6a
MD5 hash:
0d5ef3f32ebfff768d58b6c699bbc832
SHA1 hash:
d68836ffc5d288f5093bdb93d138cc790872909b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c61a8635-0fa2-49f3-92ed-a63e621f6790/
Parent samples :
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
SH256 hash:
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
MD5 hash:
fd2ed8abfecd55a3dbf2214677dfa1e8
SHA1 hash:
2c8f8c7649ee28290bbe81b00407f98abbd70f79
Link:
https://www.unpac.me/results/c61a8635-0fa2-49f3-92ed-a63e621f6790/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/120854/
  
URLhaus
https://urlhaus.abuse.ch/url/1041663/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1041677/
  
URLhaus
https://urlhaus.abuse.ch/url/1041727/
  
URLhaus
https://urlhaus.abuse.ch/url/1041775/

Comments