MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
SHA3-384 hash: b564247d079e4a6d728592dacec48fb21e7e26dc3b68b8427eb2d5d6093a5b3918a9f7a5e3a9d6d1f2c4ce14f6c31e85
SHA1 hash: a01fae9151e942dd147bbc19e5a090af3a6646c4
MD5 hash: 85c122538535578f3962dc02bf354796
humanhash: kansas-idaho-football-burger
File name:62d7d13652dd3.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:352'256 bytes
First seen:2022-07-20 09:57:01 UTC
Last seen:2022-07-20 10:50:12 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d5b695ff69a030d49feb212ee1309dba (2 x Gozi)
ssdeep 6144:wWIA1nmhsNe9T73RoyNCCJcbla6zm7eDLbR+eeYH5GvmDqLuwfQ:mA1mDr7JT6zgefsaWZf
Threatray 2'830 similar samples on MalwareBazaar
TLSH T13C74E1315554C0ABD777EAFA26F23391992D73D4837FCBF2DAA91AED642001128EF484
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate agenziariscossione dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
666
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/292877/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23090.10006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d7d1f30e298a94f3e29b46/reports/a3dac9a4-f6f6-4ae5-a85f-ac4ce76d8307/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037356
Behaviour
Behavior Graph:
n/a
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 09:58:06 UTC
File Type:
PE (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zj2zcijuelesrbzjckzbxuzcyxb4phlnppyhg3ogc64c2dnfiiq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
081b2f33473b7439b72b7fd1a01e4636b2ef6f768bb5dceaa862a23b91ecdacd
Gozi
20351bf93e117a01a601e5fcd6b83250e42e001a81cc9bf660e3079516a30f08
Gozi
251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
Gozi
2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94
Gozi
45a4adfc2e499622a94f9a664c080e73ffa87c52013a37f0447720c94b3ef497
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
89ba09321339c7b25fa34bc6ebd9719a2b3dc9293c01185c1c6c9c6d73525e04
Gozi
96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
Gozi
cfc28c18307134fd44181c705df55653e24114fe5c58788c18f50613ae08da01
Gozi
+ 2'820 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220720-lyxk9seefj/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
193.27.14.240
94.198.40.39
kimzooxl.at
94.198.40.47
94.198.40.58
havefuntxmm.at
Unpacked files
SH256 hash:
650e5ef59f5b775ec41895e429d842c22343e7aa92fa14a03c0554f043d043c5
MD5 hash:
a8e571786be0247ba582b94a5cdd9da1
SHA1 hash:
c6e150e950b7914e821942e847e4dc441656e14b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa2137c4-4f4c-4eaf-bb9a-5b436f67e169/
Parent samples :
ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b
SH256 hash:
81efce335422d82e5ae01c0bbabffd088a5f275bfe3f96aa081c4adc7f675bbe
MD5 hash:
61f0e088dd8962cc3b81cef51c4d8852
SHA1 hash:
0dd0ef0d911398d9246a4453d4601db0fd434520
Link:
https://www.unpac.me/results/aa2137c4-4f4c-4eaf-bb9a-5b436f67e169/
SH256 hash:
ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
MD5 hash:
85c122538535578f3962dc02bf354796
SHA1 hash:
a01fae9151e942dd147bbc19e5a090af3a6646c4
Link:
https://www.unpac.me/results/aa2137c4-4f4c-4eaf-bb9a-5b436f67e169/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee53ac8909a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/292877/

Comments