MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b
SHA3-384 hash: 091e5b212a7f719f4abc499174ccc17e4da82348e393c228f0177dc7441953f18da83224ed9f7d32d323d0aded165715
SHA1 hash: 547e68948b7c490bb0793f5d123b606d1d5f6210
MD5 hash: 110f8f96a6313b9a11e81edcab961454
humanhash: foxtrot-earth-nine-item
File name:f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b
Download: download sample
Signature Gozi
Create hunting rule
File size:200'704 bytes
First seen:2020-12-08 00:55:27 UTC
Last seen:2020-12-08 02:41:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7a3595712e6b26d09292c840d99f2947 (1 x Gozi)
ssdeep 6144:u4Ecrvj39pD3iqlalRQfVFM2f1OBTHVeM2lvkUi2KRE6AIF:xEcLZpbiqglRQfVFV1AHVeM6i2KREW
Threatray 10 similar samples on MalwareBazaar
TLSH B1149E44F980617BD6B30DB444E37F2DEBE992C80B38D4876B485D87B859D82EB39643
Reporter b3ard3dav3ng3r
Tags:Gozi isfb

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107137/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ursnif.1.5D6FA9DA.18021.16578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/557479
Signature
Antivirus / Scanner detection for submitted sample
Detected Gozi e-Banking trojan
Found Tor onion address
Machine Learning detection for sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327837 Sample: 2NU6X08tWl Startdate: 08/12/2020 Architecture: WINDOWS Score: 72 14 Antivirus / Scanner detection for submitted sample 2->14 16 Yara detected  Ursnif 2->16 18 Machine Learning detection for sample 2->18 20 Found Tor onion address 2->20 7 loaddll32.exe 2 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        signatures5 22 Detected Gozi e-Banking trojan 9->22 12 WerFault.exe 23 9 9->12         started        process6
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 00:56:06 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
73a0eff4b25b824af4b6600db0f637f991b45b0945c9385fd6e7eca289b7e5ed
Gozi
77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
Gozi
823d3e4a009254382cf9401cffddeb21e5be60ab5bb283ad325734c8c14cd695
Gozi
93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4
Gozi
a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d
Gozi
b0d9f78957650a0bc42b0bf646e3d158f713de64ee5e6ab395cf777e93a7a240
Gozi
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
Gozi
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201208-gqc8bqhan6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b
MD5 hash:
110f8f96a6313b9a11e81edcab961454
SHA1 hash:
547e68948b7c490bb0793f5d123b606d1d5f6210
Link:
https://www.unpac.me/results/d7cca7ea-6ad7-47c4-b624-acdb7f013836/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f18fa78f01e930c099b0a1dab86ca4151ffbb265a741135dcff80791cc2fa18b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropping
isfb
Cape
Cape
https://www.capesandbox.com/analysis/107137/

Comments