MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44
SHA3-384 hash: 56c9be5df6ad429053c9784ebff60413eff9f1b65b1b36557a1750ed3aa6dfa71ca8d76f9cb8735a155556e6d3a2288b
SHA1 hash: 8ee4915518f67171eaabc5a9464faf3588d29c87
MD5 hash: dc5e63f80e1adc0ca0e130be0d6a08c4
humanhash: black-salami-golf-tango
File name:gijm42g.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:1'885'512 bytes
First seen:2020-05-26 13:18:01 UTC
Last seen:2020-05-26 14:21:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a63371502a19295a9875defe83f24a26 (1 x Gozi)
ssdeep 49152:ycRB14f6gnLX3AEP55iB9CoA1wfx/m3TqAKePgj4u5DFvT:9/ef6gnLXQEPuB9CoA1QUTqAtPgj40vT
Threatray 635 similar samples on MalwareBazaar
TLSH 53959F3175808075D6A303729D1C7F6973F866B05B358B8726E45E2DFEF0443BA2CAA6
Reporter abuse_ch
Tags:exe geo Gozi isfb Ursnif USA

Code Signing Certificate

Organisation:KBK
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:May 20 00:00:00 2020 GMT
Valid to:May 20 23:59:59 2021 GMT
Serial number: 4B47D18DBEA57ABD1563DDF89F87A6C2
Thumbprint Algorithm:SHA256
Thumbprint: EB3F43BB9B5E6BC8276557279D17D63AAAE69B6A1AD0234689F163C98EA17F57
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing Gozi:

HELO: murrypurryfurry.net
Sending IP: 81.29.134.114
From: Anna Griffin <Moore@murrypurryfurry.net>
Subject: Office #xxxxx
Attachment: ord_438 13.zip (contains "ord_438 (13).doc")

Gozi payload URL:
http://91.211.245.163/gijm42g.exe

Gozi C2:
https://votboo.xyz/index.htm

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwalker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5195/
Detection(s):
PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 12:29:39 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
Gozi
2b648f76aaae28bfbe8e9e4be3db323aefd3933a60ad6ec4d1847b78d8282a3f
Gozi
30c57f5803c861c2d36fc003f855ee9857e4aebc864be6b9f898176f93e3cbd3
Gozi
562b6f9799bf19a42aa840a2f7178cc11bce20110ade85cf354a57dd0b569824
Gozi
5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157
Gozi
6e079394b3a3085d572975115b334d813a79cd5833509b6afa45542687a5dfce
Gozi
89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5
Gozi
9ee6e02a3e8070a4d501f7033f54d17781d2d4f43bf3b0717e15d63a1fa2e145
Gozi
b3080e3dea927ae5c6d02fad35de244bf93c1d2594ad0d8cfb3900aaaa014f30
Gozi
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
Gozi
+ 625 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-92cgnn15pj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

zip 3bc4ab7cce74312ef62637623a5cfd9c4522271b6e5b1ead8b07613781baeb09

Gozi

Word file doc 278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d

Gozi

Executable exe 1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369072/
  
Dropped by
MD5 42010d7791d78908150cbd73bc6e139e
  
Dropped by
SHA256 278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5195/
Cape
Cape
https://www.capesandbox.com/analysis/5193/
Cape
Cape
https://www.capesandbox.com/analysis/4846/
Cape
Cape
https://www.capesandbox.com/analysis/4845/

Comments