MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4
SHA3-384 hash: 7de5b009548eab804c354287d32324973553cf2fceec9c7029f8d91f4a4ad135c40d9c30c58108fb7a49b3f0b303151e
SHA1 hash: 093cb13d256ff3e367cc8c60fe68f96582a35f29
MD5 hash: 1ff3761d62cc5ee7c888a8c1bdd9d1ac
humanhash: fruit-yankee-bulldog-one
File name:f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:821'248 bytes
First seen:2023-07-18 15:47:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 34188f9790f1e6bd6924e17658a1d977 (2 x Gozi)
ssdeep 12288:/+WNeJLmTo/dgvHKRNR7PlB5D9Di/2ytQLP647vpvWhRodzXo/fGRAkMwFroD:/+Q46To/dgPOVP35ZWrs6kvonx6o
Threatray 256 similar samples on MalwareBazaar
TLSH T13C05AFB7F89470D3D926CDB78C2DA1A7042DB25277A7933A7398292416206B73E073D7
TrID 58.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter k3dg3___
Tags:20000 dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
US US
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423960/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/64b6b4348ca71f19e0892128/reports/e5946215-0044-496c-8e86-a53cf96163cf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb10b401-f6a2-4f6a-8227-61fd31fa3b82
Result
Threat name:
Ursnif, DarkVNC
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275277
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected DarkVNC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275277 Sample: 9PY1NFwBmZ.dll Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for URL or domain 2->125 127 5 other signatures 2->127 11 mshta.exe 19 2->11         started        13 loaddll32.exe 1 2->13         started        15 mshta.exe 2->15         started        17 mshta.exe 2->17         started        process3 process4 19 powershell.exe 30 11->19         started        23 rundll32.exe 1 6 13->23         started        26 rundll32.exe 6 13->26         started        28 rundll32.exe 13->28         started        34 5 other processes 13->34 30 powershell.exe 15->30         started        32 powershell.exe 17->32         started        dnsIp5 97 C:\Users\user\AppData\...\2dl12nxo.cmdline, Unicode 19->97 dropped 129 Injects code into the Windows Explorer (explorer.exe) 19->129 131 Writes to foreign memory regions 19->131 133 Modifies the context of a thread in another process (thread injection) 19->133 135 Found suspicious powershell code related to unpacking or dynamic code loading 19->135 36 explorer.exe 19->36 injected 40 csc.exe 19->40         started        43 csc.exe 19->43         started        45 conhost.exe 19->45         started        119 45.11.182.38, 49701, 49702, 49703 PORTLANEwwwportlanecomSE Germany 23->119 137 Allocates memory in foreign processes 23->137 139 Maps a DLL or memory area into another process 23->139 47 control.exe 23->47         started        141 System process connects to network (likely due to code injection or exploit) 26->141 49 control.exe 26->49         started        143 Writes registry values via WMI 28->143 145 Creates a thread in another existing process (thread injection) 30->145 53 4 other processes 30->53 55 3 other processes 32->55 51 rundll32.exe 6 34->51         started        file6 signatures7 process8 dnsIp9 113 45.155.249.220, 49704, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 36->113 115 94.247.42.213, 49705, 49707, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 36->115 117 107.158.128.38, 49706, 9955 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 36->117 147 System process connects to network (likely due to code injection or exploit) 36->147 149 Tries to steal Mail credentials (via file / registry access) 36->149 151 Changes memory attributes in foreign processes to executable or writable 36->151 159 5 other signatures 36->159 57 cmd.exe 36->57         started        60 cmd.exe 36->60         started        70 6 other processes 36->70 101 C:\Users\user\AppData\Local\...\2dl12nxo.dll, PE32 40->101 dropped 62 cvtres.exe 40->62         started        103 C:\Users\user\AppData\Local\...\pw10fmuu.dll, PE32 43->103 dropped 64 cvtres.exe 43->64         started        153 Injects code into the Windows Explorer (explorer.exe) 47->153 155 Writes to foreign memory regions 47->155 157 Allocates memory in foreign processes 47->157 66 rundll32.exe 47->66         started        68 rundll32.exe 49->68         started        105 C:\Users\user\AppData\Local\...\k2zgw5z0.dll, PE32 53->105 dropped 107 C:\Users\user\AppData\Local\...\hp24zk5d.dll, PE32 53->107 dropped 72 2 other processes 53->72 109 C:\Users\user\AppData\Local\...\zk22jit0.dll, PE32 55->109 dropped 111 C:\Users\user\AppData\Local\...\t0rgxxdw.dll, PE32 55->111 dropped 74 2 other processes 55->74 file10 signatures11 process12 signatures13 169 Writes to foreign memory regions 57->169 171 Modifies the context of a thread in another process (thread injection) 57->171 173 Maps a DLL or memory area into another process 57->173 76 powershell.exe 57->76         started        79 conhost.exe 57->79         started        81 powershell.exe 60->81         started        83 conhost.exe 60->83         started        85 conhost.exe 70->85         started        process14 signatures15 175 Writes to foreign memory regions 76->175 177 Modifies the context of a thread in another process (thread injection) 76->177 179 Maps a DLL or memory area into another process 76->179 87 csc.exe 76->87         started        91 conhost.exe 76->91         started        93 conhost.exe 81->93         started        process16 file17 99 C:\Users\user\AppData\Local\...\eit134al.dll, PE32 87->99 dropped 161 Writes to foreign memory regions 87->161 163 Allocates memory in foreign processes 87->163 165 Modifies the context of a thread in another process (thread injection) 87->165 167 Maps a DLL or memory area into another process 87->167 95 cvtres.exe 87->95         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 15:48:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cq5pdvxnepzabj2lv5nobmix3kmjjon266jjhbwrwgcxrrpsxca._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a
Gozi
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
+ 246 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:20000 banker isfb trojan
Link:
https://tria.ge/reports/230718-s8rw4acf4t/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
http://45.11.182.38
http://79.132.130.230
https://listwhfite.check3.yaho1o.com
https://lisfwhite.ch2eck.yaheoo.com
http://45.155.250.58
https://liset.che3ck.bi1ng.com
http://45.155.249.91
Unpacked files
SH256 hash:
cc1874ea85147445107d3af1521d83a8c61ea8d0eab6bb0c419a6f4c949a1b92
MD5 hash:
5dc42a2696e404587618ffb2c406f573
SHA1 hash:
e04e260e5f436b008320dcd20eb0870507143a1d
Link:
https://www.unpac.me/results/063fa2e3-9f15-499a-a64d-532e0ae713ea/
SH256 hash:
f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4
MD5 hash:
1ff3761d62cc5ee7c888a8c1bdd9d1ac
SHA1 hash:
093cb13d256ff3e367cc8c60fe68f96582a35f29
Link:
https://www.unpac.me/results/063fa2e3-9f15-499a-a64d-532e0ae713ea/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8a1d78eb769/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

3b7dd3af32d34e2423193fb04b07174f882df78be1a980206a8bda47c89370b8

Gozi

DLL dll f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4

(this sample)

  
Dropped by
SHA256 3b7dd3af32d34e2423193fb04b07174f882df78be1a980206a8bda47c89370b8
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/423960/
  
Dropped by
SHA256 d9ade9a87de196d78e3b0802f97d72a0cf5070c8b273a10ef5f0295615b87bee
  
Dropped by
MD5 009ffd114695ef56b9ada42b9d476625

Comments