MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
SHA3-384 hash: 86ef75ae1b8ce41bed9ce75b7fc6a5a305ea9f1231e987506b3ae3c1063cc5d2fbea503efa355256342e5cddd2246cfd
SHA1 hash: e6683d712477887b2c13a8baf5eb52b44d86645c
MD5 hash: 2bba9ec2e0dc86ce99edcb310abf3786
humanhash: ink-march-carpet-foxtrot
File name:DSC_Canon_023945_23.12.2021.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:169'984 bytes
First seen:2021-03-16 03:17:03 UTC
Last seen:2021-03-16 04:51:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0db5122541c535013699ed54854d9680 (1 x Smoke Loader, 1 x Gozi, 1 x RaccoonStealer)
ssdeep 3072:BjF/tGR9+ATTovkugvc9X82JZxaneA5XgP:NqRkATkLX6A
TLSH 7BF39C1172E1C033DB96163148B5C2B11A36FCB58B2556F7BBD43B6A5E31AF28A36343
Reporter nao_sec
Tags:Gozi RigEK Ursnif


Avatar
nao_sec
Dropped from http[:]//hathunterist[.]ru/DSC_Canon_023945_23.12.2021.zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0umvx.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 00:38:18 UTC
Tags:
trojan loader smoke gozi ursnif dreambot evasion stealer
Link:
https://app.any.run/tasks/55fe3427-eeba-4aa2-8da8-ebecb4ef3075

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.943.24846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e30fa2f-af5c-47b4-9868-7a8f1e570f87
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640232
Signature
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369091 Sample: DSC_Canon_023945_23.12.2021.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 58 8.8.8.8.in-addr.arpa 2->58 60 1.0.0.127.in-addr.arpa 2->60 62 resolver1.opendns.com 2->62 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 12 other signatures 2->76 9 mshta.exe 19 2->9         started        13 DSC_Canon_023945_23.12.2021.exe 2->13         started        15 iexplore.exe 1 50 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 64 192.168.2.1 unknown unknown 9->64 94 Suspicious powershell command line found 9->94 19 powershell.exe 9->19         started        96 Detected unpacking (changes PE section rights) 13->96 98 Detected unpacking (overwrites its own PE header) 13->98 100 Writes to foreign memory regions 13->100 102 4 other signatures 13->102 23 svchost.exe 13->23         started        25 iexplore.exe 31 15->25         started        28 iexplore.exe 31 17->28         started        30 iexplore.exe 29 17->30         started        32 iexplore.exe 29 17->32         started        34 iexplore.exe 36 17->34         started        signatures6 process7 dnsIp8 50 C:\Users\user\AppData\...\rlu5btwb.cmdline, UTF-8 19->50 dropped 52 C:\Users\user\AppData\Local\...\mkb3zjlt.0.cs, UTF-8 19->52 dropped 78 Injects code into the Windows Explorer (explorer.exe) 19->78 80 Writes to foreign memory regions 19->80 82 Modifies the context of a thread in another process (thread injection) 19->82 84 3 other signatures 19->84 36 explorer.exe 19->36 injected 39 csc.exe 19->39         started        42 csc.exe 19->42         started        44 conhost.exe 19->44         started        66 sibedriamasterkkmoderatordstezya.ru 45.130.151.85, 49729, 49730, 49731 MARKTELRU Russian Federation 25->66 68 massidfberiatersksilkavayssstezya.ru 31.148.99.142, 49740, 49741, 49742 IHOR-ASRU Czech Republic 28->68 file9 signatures10 process11 file12 86 Tries to steal Mail credentials (via file access) 36->86 88 Changes memory attributes in foreign processes to executable or writable 36->88 90 Tries to harvest and steal browser information (history, passwords, etc) 36->90 92 4 other signatures 36->92 54 C:\Users\user\AppData\Local\...\rlu5btwb.dll, PE32 39->54 dropped 46 cvtres.exe 39->46         started        56 C:\Users\user\AppData\Local\...\mkb3zjlt.dll, PE32 42->56 dropped 48 cvtres.exe 42->48         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-16 03:18:05 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8005 banker trojan
Link:
https://tria.ge/reports/210316-crdx8fzatn/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
ssddl2.microsoft.com
siberiarrmaskkapsulrttezya.ru
sibedriamasterkkmoderatordstezya.ru
massidfberiatersksilkavayssstezya.ru
dolsggiberiaoserkmikluhasya.chimkent.su
dolsibegriaosersk4ermanderezya.chimkent.su
rdosdripakloserikabyatezya.chimkent.su
rusddripakoloserufinurtdrfezya.chimkent.su
ripakteenrufinishryeuliliezya.ru
rufiteemnisripakhglassdzya.ru
rufinisrufripakhmileronurzya.ru
rurugyrfripakinishtokokusstezya.ru
rufislomnishsripakerdfnstezya.adygeya.su
adav.microsoft.com
stratosferiss.ru
miniklanssstoezya.ru
sbigaschyress.chimkent.su
bigsachyd.abkhazia.su
sbsigachyeytezya.ru
sbigfachykatezya.ru
fgbiggachykvangdikezya.adygeya.su
zstremniagrazaautobanya.club
stremnaarumndadstezya.com
zastremnesddstezya.ru
minstremnstoun.ru
stremnrootttd.ru
stremnntveinee.chimkent.su
zastremnsamohodkakas.agency
Unpacked files
SH256 hash:
d205f030da71f4967a3524eba124e588d7924b13752a8dcf694ab41c5bfe32ef
MD5 hash:
f76936131edbaede06e14867b8fe4873
SHA1 hash:
9f291dd75e48efe7654c152e9972c4573986f006
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b0f9742-a956-46f9-a645-f9ac8d18166e/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
298d0ff74e2d7a07d367709d17b599bd3e9f756c866829cf2f262d83f02645ac
MD5 hash:
1f12d6d3bf04a979e540dc0f95fcf87e
SHA1 hash:
2f93e036427dde49417e358467041e26050100c9
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b0f9742-a956-46f9-a645-f9ac8d18166e/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
MD5 hash:
2bba9ec2e0dc86ce99edcb310abf3786
SHA1 hash:
e6683d712477887b2c13a8baf5eb52b44d86645c
Link:
https://www.unpac.me/results/7b0f9742-a956-46f9-a645-f9ac8d18166e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Smoke Loader

Executable exe 65af1ef671dafde80bef708f3001a4d94eeb54fb9193d409002d4bae52fbd99c

Gozi

Executable exe f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641

(this sample)

  
X
https://twitter.com/nao_sec/status/1371657609409822723
  
Dropped by
SHA256 65af1ef671dafde80bef708f3001a4d94eeb54fb9193d409002d4bae52fbd99c
  
Delivery method
Distributed via web download

Comments