MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
SHA3-384 hash: 44f0309103ada2d120d0efa06e960ef4c389448b93a5382dbf016026d027a6607381877d46efebf172d51acbbc586241
SHA1 hash: d92ac3fa9cca4ed8273111f767e24d8f53896787
MD5 hash: b3526bc3c4a61f9f09ac31ee9a5fc8a5
humanhash: lion-magnesium-butter-wyoming
File name:shorefront.eps
Download: download sample
Signature Gozi
Create hunting rule
File size:393'728 bytes
First seen:2021-06-03 15:36:58 UTC
Last seen:2021-06-03 16:37:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f97da13a5df33dbcb72f17527b1d6819 (2 x Gozi)
ssdeep 6144:hC5FUWwNmY036ua+71w5uJEr+AitTdyh+a6R+/ZQWdB:0FBwNuKu4umqAinyh+7+h1H
Threatray 362 similar samples on MalwareBazaar
TLSH 9E84BD5076C6E031E17241354A69EAE0073DBC629FA10B8F77E41E8F9D7C6C26E35B62
Reporter bigmacjpg
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164451/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/796820
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429225 Sample: shorefront.eps Startdate: 03/06/2021 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 53 2->10         started        process3 signatures4 40 Writes or reads registry keys via WMI 7->40 42 Writes registry values via WMI 7->42 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 rundll32.exe 7->19         started        21 iexplore.exe 35 10->21         started        24 iexplore.exe 29 10->24         started        process5 dnsIp6 44 Writes registry values via WMI 12->44 26 rundll32.exe 15->26         started        28 app.buboleinov.com 21->28 30 app.buboleinov.com 24->30 signatures7 process8
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb/
Threat name:
Win32.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 15:37:11 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ssgjqxf6fgnjq4rvg23uyg6zi3mzktmcub2bf7owdcqockf2h5q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01fd38efd6b413c52b73ae4bdb563472a37a2ec440a8441a86ed11f4d8f4c5a0
Gozi
08dafa77d5b9a550504ff06b05afef539e6f669ba8c330e776fbff2a2cc31b81
Gozi
1346bf7820f12ebcb3b6924fcbbcde045b4819773b924f1524abec895efa78e4
Gozi
1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
Gozi
20c09f055323ec942cb40efc13c0ff06bb7c60f44087e9b8a4a4744bf80935ed
Gozi
478be2a2eff77ac1ad7ff5e048bfb795ff7afd323f8e95b769ad26c40e582f38
Gozi
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Gozi
9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b
Gozi
a75c290ca3dd70d57c3f2805fb7c5668d95402c0cea95f62054a47084200ef24
Gozi
ab2ac6bebb2713759ce6e3d5db80fe8ccd4bb752199d9d71ce74a67ed8cf0c3b
Gozi
+ 352 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:4500 banker trojan
Link:
https://tria.ge/reports/210603-98bdpq79sj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
app.buboleinov.com
chat.veminiare.com
chat.billionady.com
app3.maintorna.com
Unpacked files
SH256 hash:
7754dadd66bec4a62c27161eb7f1b98bfe3a3cdc52eb2f866b6c8cf8cbc46b1e
MD5 hash:
8bda8908a921ad917708c5aab7b9d733
SHA1 hash:
d69024c4d14c680d614c92e42889c1905741fc01
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/cfd75af4-30c6-4402-9fa3-0e924e59b9fa/
SH256 hash:
f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
MD5 hash:
b3526bc3c4a61f9f09ac31ee9a5fc8a5
SHA1 hash:
d92ac3fa9cca4ed8273111f767e24d8f53896787
Link:
https://www.unpac.me/results/cfd75af4-30c6-4402-9fa3-0e924e59b9fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164451/

Comments