MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 2

Intelligence 2 IOCs YARA 1 File information Comments

SHA256 hash:	278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
SHA3-384 hash:	b32722e1e7edb5a3a94a4d40c46503dac9101eb9fe2f54d68ad76851e4a3474d3462e40a36500564875a2a4a2994f157
SHA1 hash:	120266873d1df2012e0d1b67e915b126fef7bc63
MD5 hash:	42010d7791d78908150cbd73bc6e139e
humanhash:	item-victor-whiskey-pizza
File name:	ord_438 (13).doc
Download:	download sample
Signature	Gozi Create hunting rule
File size:	184'415 bytes
First seen:	2020-05-26 13:17:06 UTC
Last seen:	Never
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	3072:0U/3NkbUuTWuNHLE0qwNHPRLHVLpUvSP5Bb3gSkNX3wjnmAEV2sY73:D/3NmTtNHTqwRdVLhP5ZuwPsi
TLSH	BD0401AB84106C27E27AD3757F0B4E8D63467C4FC50CB8DB0D457AA8BBA1593091DA3E
Reporter	abuse_ch
Tags:	doc geo Gozi isfb Ursnif USA

abuse_ch

Malspam distributing Gozi:

HELO: murrypurryfurry.net
Sending IP: 81.29.134.114
From: Anna Griffin <Moore@murrypurryfurry.net>
Subject: Office #xxxxx
Attachment: ord_438 13.zip (contains "ord_438 (13).doc")

Gozi payload URL:
http://91.211.245.163/gijm42g.exe

Gozi C2:
https://votboo.xyz/index.htm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.DOCXRSTRGOOD.WIN32_PROCESS.200408.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.WINMGMTS

TwinWave.EvilDoc.DOCXRSTRGOOD.WIN32_PROCESS.200402.UNOFFICIAL

Gathering data

Threat name:

Document-Word.Downloader.Euy

Status:

Malicious

First seen:

2020-05-26 13:36:20 UTC

AV detection:

15 of 30 (50.00%)

Threat level:

2/5

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-m8q16dmbws/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Drops file in System32 directory

Loads dropped DLL

Blacklisted process makes network request

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://91.211.245.163/gijm42g.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.