MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
SHA3-384 hash: fe7e9af8957d8959e6da4a3e99408836ef30d6c06dbcedad08e6688e34d11f802a00626de3766e889dcce50b06e30067
SHA1 hash: dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
MD5 hash: d31c0491f522d6b9f2102109bd2420af
humanhash: arizona-papa-autumn-magnesium
File name:ioir.png.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:552'448 bytes
First seen:2021-02-05 14:09:13 UTC
Last seen:2021-02-05 16:16:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 127ef7eee4def6f47e8e66d53f8ddc7c (1 x Gozi)
ssdeep 12288:XCY7z0vLfhyqJ0UYek/zLOmyK8rkApSc1jJFX:SWz09yqJ5Ye6PHuNScBJF
Threatray 629 similar samples on MalwareBazaar
TLSH E5C47E63B2E14837D1631E789D2B97B8A837BF102D24784A6BF51C4C5F39681386A3D7
Reporter Anonymous
Tags:Gozi isfbv3 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115742/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/600275
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349160 Sample: ioir.png.dll Startdate: 05/02/2021 Architecture: WINDOWS Score: 68 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected  Ursnif 2->26 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 76 2->10         started        process3 signatures4 28 Writes or reads registry keys via WMI 7->28 30 Writes registry values via WMI 7->30 12 rundll32.exe 7->12         started        15 iexplore.exe 26 10->15         started        18 iexplore.exe 22 10->18         started        process5 dnsIp6 32 Contains functionality to detect sleep reduction / modifications 12->32 20 WerFault.exe 23 9 12->20         started        22 topitophug.xyz 45.133.216.103, 443, 49744, 49745 CLOUDSOLUTIONSRU Russian Federation 15->22 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 22:27:57 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
Gozi
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
Gozi
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Gozi
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
Gozi
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Gozi
adef1e98019e2b2fcac75f287caf986ab16153cd40e45b803db0c2a3dd122559
Gozi
be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Gozi
c788a7e6d4c74e709845a01627e3cd7bb596dabbafb75aaf3929315e4b58e3e1
Gozi
+ 619 additional samples on MalwareBazaar
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 botnet:201193207 banker trojan
Link:
https://tria.ge/reports/210205-1vr3kmngqj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
Gozi RM3
Malware Config
C2 Extraction:
https://topitophug.xyz
Unpacked files
SH256 hash:
99974e8073f586697a5c2ee5019e232efa74c953985af41ee22eb3d9f66c9236
MD5 hash:
c3b9e783c5ef0499b5cc5111952c6177
SHA1 hash:
61c6acd6c64da30e40b9babc9289a546f5e0a898
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d476c58a-eaf7-4b4f-a25f-3e7bcf785f1e/
SH256 hash:
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
MD5 hash:
d31c0491f522d6b9f2102109bd2420af
SHA1 hash:
dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
Link:
https://www.unpac.me/results/d476c58a-eaf7-4b4f-a25f-3e7bcf785f1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/991115/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115742/

Comments