MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648
SHA3-384 hash: 3f8d34e96af0f47c59c33f996949beac221d63160a5769a0b0e87f84ac85b1945467e15cffa30ad7f1d36620e449e2b1
SHA1 hash: 05b04bc2e3a9c406b37fa7ba4c4b70deacae8b16
MD5 hash: 79c68cde8f43d762c4ecb97d359fc9c4
humanhash: angel-wyoming-kitten-steak
File name:3939.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:822'272 bytes
First seen:2023-07-18 16:32:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 34188f9790f1e6bd6924e17658a1d977 (2 x Gozi)
ssdeep 12288:OU+W2RNfboq2Fxto4obJj6eO/VTzFGF1d3Of1ZB4kd8AzVhml7wIKHaP:p+TNfsq239obV6pNXIF1sN4kdJmpO6P
Threatray 259 similar samples on MalwareBazaar
TLSH T16D05AEB7F89470D2DD26CDB7882EA167402DB25277A7973A73982A2406306B73D073D7
TrID 58.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:20000 dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
US US
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424089/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64b6bebe7a9c6ddebf0b84d9/reports/94ac4984-516e-49c8-9845-3adb71b5a6b5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdd37703-9aea-4c2c-8de3-1c65e6ff80d1
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275324
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275324 Sample: 3939.dll Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 123 Snort IDS alert for network traffic 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 6 other signatures 2->129 11 mshta.exe 19 2->11         started        13 loaddll32.exe 1 2->13         started        15 mshta.exe 2->15         started        process3 process4 17 powershell.exe 1 30 11->17         started        21 cmd.exe 1 13->21         started        23 rundll32.exe 6 13->23         started        25 rundll32.exe 6 13->25         started        29 5 other processes 13->29 27 powershell.exe 15->27         started        file5 97 C:\Users\user\AppData\...\emliqlqy.cmdline, Unicode 17->97 dropped 131 Injects code into the Windows Explorer (explorer.exe) 17->131 133 Writes to foreign memory regions 17->133 135 Modifies the context of a thread in another process (thread injection) 17->135 137 Found suspicious powershell code related to unpacking or dynamic code loading 17->137 31 explorer.exe 17->31 injected 36 csc.exe 17->36         started        38 csc.exe 17->38         started        40 conhost.exe 17->40         started        42 rundll32.exe 6 21->42         started        44 control.exe 23->44         started        139 System process connects to network (likely due to code injection or exploit) 25->139 141 Maps a DLL or memory area into another process 27->141 143 Creates a thread in another existing process (thread injection) 27->143 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        145 Writes registry values via WMI 29->145 signatures6 process7 dnsIp8 103 45.155.249.220, 49700, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 31->103 105 94.247.42.213, 49701, 49703, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 31->105 107 107.158.128.38, 49702, 9955 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 31->107 87 C:\Users\user\AppData\...\UtilDiagram.dll, PE32 31->87 dropped 113 System process connects to network (likely due to code injection or exploit) 31->113 115 Benign windows process drops PE files 31->115 117 Tries to steal Mail credentials (via file / registry access) 31->117 121 8 other signatures 31->121 52 mshta.exe 31->52         started        54 cmd.exe 31->54         started        68 7 other processes 31->68 89 C:\Users\user\AppData\Local\...\emliqlqy.dll, PE32 36->89 dropped 56 cvtres.exe 36->56         started        91 C:\Users\user\AppData\Local\...\gxc3epvf.dll, PE32 38->91 dropped 58 cvtres.exe 38->58         started        109 45.11.182.38, 49697, 49698, 49699 PORTLANEwwwportlanecomSE Germany 42->109 119 Writes to foreign memory regions 42->119 60 control.exe 42->60         started        111 192.168.2.1 unknown unknown 44->111 62 rundll32.exe 44->62         started        93 C:\Users\user\AppData\Local\...\2424qxje.dll, PE32 46->93 dropped 64 cvtres.exe 46->64         started        95 C:\Users\user\AppData\Local\...\455jqvak.dll, PE32 48->95 dropped 66 cvtres.exe 48->66         started        file9 signatures10 process11 process12 70 powershell.exe 52->70         started        72 conhost.exe 54->72         started        74 rundll32.exe 60->74         started        process13 76 csc.exe 70->76         started        79 csc.exe 70->79         started        81 conhost.exe 70->81         started        file14 99 C:\Users\user\AppData\Local\...\rnlvlnt4.dll, PE32 76->99 dropped 83 cvtres.exe 76->83         started        101 C:\Users\user\AppData\Local\...\oenw1mdj.dll, PE32 79->101 dropped 85 cvtres.exe 79->85         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 16:33:04 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cecp7k5xixw77ni7ey3l4xbygabfn2o25j6u5vauui6bfplczea._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a
Gozi
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4
Gozi
+ 249 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:20000 banker isfb trojan
Link:
https://tria.ge/reports/230718-t2hkhsda7x/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
http://45.11.182.38
http://79.132.130.230
https://listwhfite.check3.yaho1o.com
https://lisfwhite.ch2eck.yaheoo.com
http://45.155.250.58
https://liset.che3ck.bi1ng.com
http://45.155.249.91
Unpacked files
SH256 hash:
0d80d8deda0fd3fd808262b27313c397ca20b43d727f11b2a29176d312a5a776
MD5 hash:
b17e7f8f96ab5fdab16c6eaf3e49cec2
SHA1 hash:
4c337b637a7f18cd1be35828b37af951d7a74a30
Link:
https://www.unpac.me/results/687b31fe-3284-414f-8b27-acbae69c0bdb/
SH256 hash:
f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648
MD5 hash:
79c68cde8f43d762c4ecb97d359fc9c4
SHA1 hash:
05b04bc2e3a9c406b37fa7ba4c4b70deacae8b16
Link:
https://www.unpac.me/results/687b31fe-3284-414f-8b27-acbae69c0bdb/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f08827fd5dba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424089/

Comments