MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac
SHA3-384 hash: 45a367c83bd641cec1e488db8520b4826f52c5f0585a58daee6fc9d4f5c29ad736ec11ade002047fed28c00d81baca7a
SHA1 hash: bf36217993523e9e2caeab574a71d55c08ba9e2d
MD5 hash: 1fe42a1e3803c0080a8377531a556dca
humanhash: dakota-idaho-maryland-happy
File name:tar.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'246'720 bytes
First seen:2021-10-05 09:05:54 UTC
Last seen:2021-10-05 10:18:26 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3914a19d88280b08f06c9e1ef6320e88 (3 x Gozi)
ssdeep 24576:xQWi7MQhrgc/IQA3DEEf3cFDZYbZy8zl2ws5KHGv/ChfHOtpfdwuPiHT8XYAT/aD:uxHrgc/IQA3oEvcFtYbZy8zl2wLHGv/Y
Threatray 1'035 similar samples on MalwareBazaar
TLSH T14A45DD543A54F510EBA96972CF6AC5F907057D09EFF1B49B78E03E0F2AAE8A3D512301
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
834
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194959/
Detection(s):
SecuriteInfo.com.W32.Qbot.GC.genEldorado.7899.27155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/615c2b8db95458900cdc61b9/reports/56985b5c-7333-412e-95c5-ecfbb535f1f5/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9d79ede-156f-40d1-9a26-9200d5225123
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/864624
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497049 Sample: tar.dll Startdate: 05/10/2021 Architecture: WINDOWS Score: 80 25 gloderuniok.website 2->25 39 Found malware configuration 2->39 41 Yara detected  Ursnif 2->41 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 33 gloderuniok.website 37.120.239.178, 443, 49776, 49801 SECURE-DATA-ASRO Romania 8->33 35 vloderuniok.website 89.44.9.150, 443, 49763, 49774 M247GB Romania 8->35 37 4 other IPs or domains 8->37 45 Writes or reads registry keys via WMI 8->45 47 Writes registry values via WMI 8->47 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 49 System process connects to network (likely due to code injection or exploit) 12->49 51 Writes registry values via WMI 12->51 21 rundll32.exe 15->21         started        process9 dnsIp10 27 vloderuniok.website 21->27 29 gloderuniok.website 21->29 31 4 other IPs or domains 21->31 43 System process connects to network (likely due to code injection or exploit) 21->43 signatures11
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac/
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682
Gozi
2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c
Gozi
5657bb527b62a7a83fb6542f2f80f50d0574dfa0b26a26ff26deb9029687b19a
Gozi
6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551
Gozi
b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180
Gozi
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
Gozi
f9fd7b6794b5579f64c034d1cfd0adbc5c4c5ef433d0e9f2b6ff95d58d3d7201
Gozi
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker suricata trojan
Link:
https://tria.ge/reports/211005-k2s7kshhak/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
msn.com/login
vloderuniok.website
gloderuniok.website
Unpacked files
SH256 hash:
234c702b69f66572f784523d62502766b3f8d2971bd4c4a2bab92dba27d62877
MD5 hash:
436ff40a64aab279a3a1527bf9ca9b11
SHA1 hash:
9806b221bbfe3e47074767f6b88f1994b3ab9a5d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7abefa5f-f2ae-476f-b811-5478df8a4fad/
Parent samples :
fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac
f68b7fa37be0ae601a95fb0369757160464b595af8b1f49b4f46eb3bb7a37e45
2f4d76314a00fb7a8047fcdd3ee26c39d2a550cde356d35ae517631392a66e8a
SH256 hash:
4086453cca1b5279d581ee77e0dcb6e02c2412e359b7551686afa8866ca874f9
MD5 hash:
bd078324a10b99e44b75ca0a3266b56a
SHA1 hash:
575ab6061d524a8420dd15c36a013b35c1c5013f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7abefa5f-f2ae-476f-b811-5478df8a4fad/
SH256 hash:
fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac
MD5 hash:
1fe42a1e3803c0080a8377531a556dca
SHA1 hash:
bf36217993523e9e2caeab574a71d55c08ba9e2d
Link:
https://www.unpac.me/results/7abefa5f-f2ae-476f-b811-5478df8a4fad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194959/

Comments