MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2
SHA3-384 hash:	726ab1b9afee7054f4e38847f3edcf463c3b365f7627d3fc79971968df48dbf8d00b34932e4463db225224250e00a9e3
SHA1 hash:	b108ee0247256e1be209a5c37bfda4e3c9cbf625
MD5 hash:	ef91330c62c1e86bc2943bfac963612a
humanhash:	pizza-mountain-oregon-aspen
File name:	370f3fa54702d92f0e7d02c95a851756
Download:	download sample
Signature	Gozi Create hunting rule
File size:	151'552 bytes
First seen:	2020-11-17 12:45:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32cbafab85e59f0916eab56d40525b8a (2 x Gozi)
ssdeep	3072:JWtChBFjpkNxeFPe/V9xD3bYbvyzRnoMmxfFHJfvXNYaBG/5b52B/w9vXFegHp:4+pU4FGFr0TyzRnHcHJte5V2B/iogHp
TLSH	A2E3CF6778A510F3D1A812BE04F0F78303AFE17D0C2AD25A1FE4914965856F5CD36E7A
Reporter	seifreed
Tags:	Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Modifying a system file

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file

Searching for the window

Deleting a recently created file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2/

Threat name:

Win32.Infostealer.Gozi

Status:

Malicious

First seen:

2020-11-17 12:50:54 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

malicious

Label(s):

gozi

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb banker trojan

Link:

https://tria.ge/reports/201117-pspr8jk57x/

Behaviour

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

JavaScript code in executable

Gozi, Gozi IFSB

Unpacked files

SH256 hash:

0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2

MD5 hash:

ef91330c62c1e86bc2943bfac963612a

SHA1 hash:

b108ee0247256e1be209a5c37bfda4e3c9cbf625

Link:

https://www.unpac.me/results/ac39c3ac-81ce-464f-96bc-02fd1669d7b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample