MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
SHA3-384 hash: 576baf519f8478a48baa3d2659665442a59cdd04e79130d086eb90b219ef1f4e06bb94300b6cb5f2939f7918ea2b8087
SHA1 hash: 7adf95e9cab0549c4d516d536680e013ffd18305
MD5 hash: d61aa8b37f170e6531f887e76736e410
humanhash: harry-oklahoma-fillet-six
File name:d61aa8b37f170e6531f887e76736e410.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:173'568 bytes
First seen:2021-02-28 08:40:09 UTC
Last seen:2021-02-28 10:48:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dd77e7157301149249e93a10e393349 (2 x Gozi, 1 x SystemBC)
ssdeep 3072:x36hR+tkq9kLOuI1YhvyrONrAZkvBPCXSlDEq2:xqutT9kLOuEYhvyrWAZk5E
TLSH 71049D257693C033E55390709AE5C6F55A2ABC710BA9A8D7BBC40B694F713F3CA35382
Reporter abuse_ch
Tags:exe Gozi isfb Ursnif


Avatar
abuse_ch
Gozi C2:
http://klounisoronws.xyz/fallback/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'086
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d61aa8b37f170e6531f887e76736e410.exe
Verdict:
No threats detected
Analysis date:
2021-02-28 08:56:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88c2be03-95e5-418f-800d-9a71182b42e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119991/
Detection(s):
SecuriteInfo.com.Variant.Midie.79610.24370.22930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/620850
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 08:41:05 UTC
AV detection:
13 of 49 (26.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=67epeleujlm3z4kjgsglx2huat6gtnmp4fmxojc7yjat63rspyeq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6565 banker trojan
Link:
https://tria.ge/reports/210228-d18bbjg3ds/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
updates.microsoft.com
klounisoronws.xyz
darwikalldkkalsld.xyz
c1.microsoft.com
ctldl.windowsupdate.com
195.123.209.122
185.82.218.23
5.34.183.180
bloombergdalas.xyz
groovermanikos.xyz
kadskasdjlkewrjk.xyz
Unpacked files
SH256 hash:
ba63c14d0972a3bed8b8813954b4ddeaa8ef733afac9ed3a86372bfc87a2aa97
MD5 hash:
01bbf9a59beeb52288bdec21980db6e7
SHA1 hash:
ca85f5df9b2572f5a1606eeabee646dc871a9712
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/3e01ee46-4fe4-4339-a720-65349c380258/
Parent samples :
77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
33b931c8f19d3ef8b354cc7ca24ebfbb2cdf2b83e5717b1dd7c81cef80238591
9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507
SH256 hash:
d2084f368e2e45d62bf13e08e37dedc7eeafad56884eb886ebb89ec536cec72b
MD5 hash:
70ed08a079518f6338854f5fa99c1e03
SHA1 hash:
1e86015dc8a5dbd01f7da6e5d8f3f86c638a4bca
Link:
https://www.unpac.me/results/3e01ee46-4fe4-4339-a720-65349c380258/
SH256 hash:
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
MD5 hash:
d61aa8b37f170e6531f887e76736e410
SHA1 hash:
7adf95e9cab0549c4d516d536680e013ffd18305
Link:
https://www.unpac.me/results/3e01ee46-4fe4-4339-a720-65349c380258/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1030978/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119991/

Comments