MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7
SHA3-384 hash: 0093920fcfe902442df65ddf59d1801969764bca0965dc48bd026beed8d81746d3d6dacc0bea11767575f6f78e2a8562
SHA1 hash: 4e567696df314efdb3c0bb182677ab82f511bf2b
MD5 hash: 15edbc82e59fd8a6c0c90d3db539c4c8
humanhash: pip-double-october-eight
File name:header[1].jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:391'024 bytes
First seen:2021-02-08 08:34:17 UTC
Last seen:2021-02-08 08:34:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a772111560b66004e6e750154e97bb74 (1 x Gozi)
ssdeep 6144:EViAfGZvYO/K9zWVB2ZYpp1gbKXflHvXcd0xrZv4fk6GFzGzC:IbkYv9zWyZKzgbKvxvXcd0nvD
Threatray 1 similar samples on MalwareBazaar
TLSH C8845B5734D7C132E321C5BED4896BF6B9645E90AB0974B767D03EEFB8330A246E0252
Reporter JAMESWT_WT
Tags:dll Gozi isfb mise signed Ursnif

Code Signing Certificate

Organisation:Symantec Corporation
Issuer:VeriSign Class 3 Code Signing 2004 CA
Algorithm:sha1WithRSAEncryption
Valid from:2007-10-31T00:00:00Z
Valid to:2010-11-24T23:59:59Z
Serial number: 758f5ee8263b6694719d8434eb998608
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f67dda8679c10547d47fbc3bd71d98953d4f73fc60c50035e6f366e3da6395c2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPAM.zip
Verdict:
Malicious activity
Analysis date:
2021-02-08 08:19:18 UTC
Tags:
trojan gozi ursnif dreambot loader
Link:
https://app.any.run/tasks/5b0c8484-04e7-4f2a-a5d0-988da9b37510

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116019/
Detection(s):
SecuriteInfo.com.Gen.NN.ZedlaF.34804.x89@aWIQp7oi.13685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/601598
Signature
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349813 Sample: header[1].jpg.dll Startdate: 08/02/2021 Architecture: WINDOWS Score: 64 25 atomproc.com 2->25 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected  Ursnif 2->37 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        signatures6 39 Writes or reads registry keys via WMI 11->39 41 Writes registry values via WMI 11->41 16 iexplore.exe 2 70 14->16         started        process7 process8 18 iexplore.exe 5 155 16->18         started        21 iexplore.exe 25 16->21         started        23 iexplore.exe 29 16->23         started        dnsIp9 27 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49741, 49742 YAHOO-DEBDE United Kingdom 18->27 29 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49743, 49744 FASTLYUS United States 18->29 33 10 other IPs or domains 18->33 31 ocsp.sca1b.amazontrust.com 143.204.15.203, 49768, 49769, 80 AMAZON-02US United States 21->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 08:34:10 UTC
File Type:
PE (Dll)
Extracted files:
60
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9
Gozi
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210208-3z626nw4n6/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7
MD5 hash:
15edbc82e59fd8a6c0c90d3db539c4c8
SHA1 hash:
4e567696df314efdb3c0bb182677ab82f511bf2b
Link:
https://www.unpac.me/results/bd398306-b32b-4c81-b8f9-09f25eb6a7e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe ff69d250cc705f583350967cc8956786e198d2ab5cbaa6e19fc63b1e2a208ac7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116019/
  
URLhaus
https://urlhaus.abuse.ch/url/994733/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/994732/
  
URLhaus
https://urlhaus.abuse.ch/url/994736/
  
URLhaus
https://urlhaus.abuse.ch/url/994734/
  
URLhaus
https://urlhaus.abuse.ch/url/994735/

Comments