MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
SHA3-384 hash:	00f8b85267d1c15d2f027b7305ec11a1b37bf610e0cb7a9a822ce6fd218f92b1f6331f91cbbbc83f34577f486788323b
SHA1 hash:	f0831e7499e3534444dd83ce50c9681d34804555
MD5 hash:	ee5e38c9c7ec458faf8cf0e01cee1f16
humanhash:	west-two-island-alanine
File name:	informazione_unpacked.bin
Download:	download sample
Signature	Gozi Create hunting rule
File size:	41'369 bytes
First seen:	2023-01-17 12:26:33 UTC
Last seen:	2023-01-17 14:37:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1640d668d1471f340cbe565fe63522f6 (15 x Gozi)
ssdeep	768:QkJBM2WZy1MjuBTct9Tix88Fn9nB8XZDRlONXvxkiZOrQgL2r:QkJBMhnCiTimGn9yXhRINfxbMrHL2r
Threatray	913 similar samples on MalwareBazaar
TLSH	T11403E133527E867EEBDACE3043FF082DE9D4038D01662C9789D409985825C4EE7BE693
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Viuleeenz
Tags:	agenziaentrate exe Gozi unpacked Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

informazione_unpacked.bin

Verdict:

No threats detected

Analysis date:

2023-01-17 12:29:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b37e9bba-19ca-47b5-91f4-8b7d98c46a38

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353761/

Detection(s):

SecuriteInfo.com.Variant.Razy.853307.21464.19263.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60936/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/63c69416e56ca96f6d4ff71a/reports/41e33162-d60c-4824-b91e-f305f73a7a97/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/69d80645-7a5e-4ebc-9dd3-e4c4fd6a6d99

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1153023

Signature

Antivirus / Scanner detection for submitted sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2023-01-17 12:27:06 UTC

File Type:

PE (Exe)

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6pppexhmw4cc4cwd5mjawrbuv6h53mwttfrahldeuhrnyfourkza._file

Verdict:

malicious

Label(s):

gozi

Gozi

5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a

Gozi

72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8

Gozi

cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb

Gozi

e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3

Gozi

f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711

Gozi

+ 903 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7705 banker isfb trojan

Link:

https://tria.ge/reports/230117-pmq6wsfg29/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.140.150
31.41.44.179
91.107.119.172

Unpacked files

SH256 hash:

fc1b71bb16f5f21c92a4654bd8d027414741f57f3537daff55efc16b820705f6

MD5 hash:

a07bcf19802db39b4eb1d786e5d2070b

SHA1 hash:

c1c2b079334bfa6b91df0e0bbecb07c99165d343

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/52da1634-f397-42b2-ab9d-60bc6e434e3a/

Parent samples :

5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f

SH256 hash:

f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2

MD5 hash:

ee5e38c9c7ec458faf8cf0e01cee1f16

SHA1 hash:

f0831e7499e3534444dd83ce50c9681d34804555

Link:

https://www.unpac.me/results/52da1634-f397-42b2-ab9d-60bc6e434e3a/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f3def25cecb7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ursnif3

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/353761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample