MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab
SHA3-384 hash: 04e14fb95696db3c7c5c77553033bf09e9394e21242aefd6f29acbfb1d4372f0b1cb94a8d39d7eb38fdde4121e3c4e2d
SHA1 hash: 90d82c7e8a3f2d3c4ec8e4542605eafbcb07bf95
MD5 hash: 6a76e615a7997fc04e3003ce16c9bc3d
humanhash: fix-mexico-louisiana-march
File name:6a76e615_by_Libranalysis
Download: download sample
Signature Gozi
Create hunting rule
File size:871'936 bytes
First seen:2021-05-06 16:02:34 UTC
Last seen:2021-05-06 17:04:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 973489e8c974fff7f93fb4970ed9b5a2 (1 x Gozi)
ssdeep 12288:KO2UqKIpQyBwBJpU4OpQHXi/AfBC0arX3kHcWlNyZaH/3LYwVe5xd2hx:Z920HS/Aff0yNNyZu3LTeW
Threatray 237 similar samples on MalwareBazaar
TLSH 6B056C11B650C039F4A360FC4AADD2B9A93C79A11B1465CB73CC6FEE5732AE0693135B
Reporter Libranalysis
Tags:Gozi


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151755/
Detection(s):
SecuriteInfo.com.Variant.Babar.26409.18093.7100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/714364
Signature
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406107 Sample: 6a76e615_by_Libranalysis Startdate: 06/05/2021 Architecture: WINDOWS Score: 88 23 Multi AV Scanner detection for domain / URL 2->23 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 2 other signatures 2->29 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        process3 signatures4 31 Writes or reads registry keys via WMI 7->31 33 Writes registry values via WMI 7->33 12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 iexplore.exe 35 10->16         started        process5 dnsIp6 19 rundll32.exe 12->19         started        21 green.salurober.com 34.86.224.8, 49704, 49705, 80 GOOGLEUS United States 16->21 process7
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 16:03:13 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h3x7gjpbr57r3akhgwnvqndip3eddsqkeg3d6jdi7ksodikxgvq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
3c0bc20be866d4a0156f5b1ebb5418e9e58b65f292f4defbde0052644ca2c0e9
Gozi
419e1f52d1dd72ef9e9d2af16124abcaa2cc889389bbb10bb8d1fa23276ba697
Gozi
532bc80351a659699d32d8f10760dca714cb395997cf0667e9631983d1b3a773
Gozi
70d9397fa81ec09be21e1bc235c6c9838612ba43cf238bcaf5525321a8ec3df0
Gozi
900a62f1d821af1da2b5235e651057b062a9fd3c74002ac38218038f7e6b4ea4
Gozi
9ed3ecdf0bb81781af7d2047a54103aa6eed022d1dd01b0477359558a28c6c06
Gozi
e1c53b0e0d02d22d90496aa67298086866f78fbe18ee00b17ce4fd1beb0f033c
Gozi
ea0f2536c5068f5a7b2c4776f40bf9eb8fbbb79f63c854991b4c57b8959fbf56
Gozi
f1abc2c7434df1d042774d3b48b1b609a576bb50a288802c646de4450a42345d
Gozi
f7d4b9acabc3f9a0425ed10c542838f0206b0ce8458b5b7b3b1f9211436d684a
Gozi
+ 227 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5500 banker trojan
Link:
https://tria.ge/reports/210506-tj2vhczy3j/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
green.salurober.com
frm.mironeramp.com
chat.billionady.com
app3.maintorna.com
Unpacked files
SH256 hash:
a4f9b47b5e2a8c072189508875f2d4b28c24a48d1ec9cafc964d6c211d6729f8
MD5 hash:
5841f3e0a2899ccad360c29bf5eb6043
SHA1 hash:
e629b0f0ddc9e342906d8c9ca0a8d909f81858be
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a226d3ab-c1ed-4778-bc68-1a16b454bf4b/
SH256 hash:
f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab
MD5 hash:
6a76e615a7997fc04e3003ce16c9bc3d
SHA1 hash:
90d82c7e8a3f2d3c4ec8e4542605eafbcb07bf95
Link:
https://www.unpac.me/results/a226d3ab-c1ed-4778-bc68-1a16b454bf4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151755/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 17:15:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0052] File System Micro-objective::Writes File
3) [C0007] Memory Micro-objective::Allocate Memory
4) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
5) [C0040] Process Micro-objective::Allocate Thread Local Storage
6) [C0041] Process Micro-objective::Set Thread Local Storage Value
7) [C0018] Process Micro-objective::Terminate Process