MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc
SHA3-384 hash: b9fb1dd1666edeae4c5aecd5e073b80709452e98be547dbba1206cf4555c180720b1d33d3025828445ab08d352449fb6
SHA1 hash: c9065f7aa61a613f0caece1fba92183d75619427
MD5 hash: d960b574ee755efb105b16ddcb6e8ac4
humanhash: summer-oklahoma-lactose-nevada
File name:unpacked_sample.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:57'344 bytes
First seen:2023-07-04 18:16:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3e85858f9f91b022a15a56437fb6f7c2 (4 x Gozi)
ssdeep 768:A2XtFm6/yekvj2va2FyZWjlC/gL8MNF7yNcYNzB1BA5V53vrUZKmdbhrknZ:xi6qeSjpUAsw/gfBWD1ybm1hiZ
Threatray 208 similar samples on MalwareBazaar
TLSH T1A343F1F5A005017BFA4316B16E18630EE3C259611F37CE9162BBA048D6EDC67C97F262
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Viuleeenz
Tags:dll Gozi ITA unpacked Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/407186/
Detection(s):
Win.Malware.GoziISFB-9940853-2
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64a4621f204315fbc16cc4ec/reports/cb57f677-945c-4f90-869f-97c890f5c343/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dda944c3-d450-4cdc-a316-b69aa5b4c375
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266794
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266794 Sample: unpacked_sample.dll Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 7 other signatures 2->65 9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        13 explorer.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        19 powershell.exe 1 30 11->19         started        file5 23 rundll32.exe 6 15->23         started        49 C:\Users\user\AppData\...\xipfnrs5.cmdline, Unicode 19->49 dropped 67 Injects code into the Windows Explorer (explorer.exe) 19->67 69 Writes to foreign memory regions 19->69 71 Modifies the context of a thread in another process (thread injection) 19->71 73 3 other signatures 19->73 27 explorer.exe 3 3 19->27 injected 29 csc.exe 3 19->29         started        32 csc.exe 3 19->32         started        34 conhost.exe 19->34         started        signatures6 process7 dnsIp8 55 itwicenice.com 91.212.166.44, 49683, 80 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 23->55 57 avas1ta.com 23->57 83 System process connects to network (likely due to code injection or exploit) 23->83 85 Writes to foreign memory regions 23->85 87 Allocates memory in foreign processes 23->87 91 3 other signatures 23->91 36 control.exe 1 23->36         started        89 Disables SPDY (HTTP compression, likely to perform web injects) 27->89 39 WerFault.exe 27->39         started        41 WerFault.exe 27->41         started        51 C:\Users\user\AppData\Local\...\xipfnrs5.dll, PE32 29->51 dropped 43 cvtres.exe 1 29->43         started        53 C:\Users\user\AppData\Local\...\44fslzbe.dll, PE32 32->53 dropped 45 cvtres.exe 1 32->45         started        file9 signatures10 process11 signatures12 75 Changes memory attributes in foreign processes to executable or writable 36->75 77 Injects code into the Windows Explorer (explorer.exe) 36->77 79 Writes to foreign memory regions 36->79 81 4 other signatures 36->81 47 rundll32.exe 36->47         started        process13
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 18:17:05 UTC
File Type:
PE (Dll)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wnrciku7j5v2bkl4jkdwpwosc5ayhvyfdw4ey3gai3i6iqtvloa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Gozi
d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
+ 198 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb persistence trojan
Link:
https://tria.ge/reports/230704-ww1v1sga97/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://avas1ta.com/in/login/
itwicenice.com
https://avas1t.de/in/loginq/
delideta.com
Unpacked files
SH256 hash:
f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc
MD5 hash:
d960b574ee755efb105b16ddcb6e8ac4
SHA1 hash:
c9065f7aa61a613f0caece1fba92183d75619427
Link:
https://www.unpac.me/results/0eceda91-9f0d-4e7c-8eb4-fd615e1c6bef/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/407186/

Comments