MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27b3c804921ba560e04fcff33f185c76b08bf4473fa7f1bb699645e6da86c52e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27b3c804921ba560e04fcff33f185c76b08bf4473fa7f1bb699645e6da86c52e
SHA3-384 hash: b0dc8564ea612e3736ce5e126ea8de9ae7cde8d641ae37de8937abf8a558a44ab17350e9a7202f5fb52ab1b0b4cf176d
SHA1 hash: e7edd6d21740057c73747fb13565a9d61bae7778
MD5 hash: b497e4bc216dd2f311c49ff08d546637
humanhash: berlin-north-harry-venus
File name:skp.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:721'408 bytes
First seen:2020-05-29 07:04:55 UTC
Last seen:2020-05-29 08:06:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c50d9bea08639b9176aabe1a254bcf6b (3 x Gozi)
ssdeep 12288:CoYYiLPRW/httePP2JG9rPoC9JoOn7cGOAPG/MzTWD8jZSmA6p0FqvPWR1:MV9wReYGXn4kO/MzK4jZpA7qa
Threatray 27 similar samples on MalwareBazaar
TLSH 86E4CF363A9195BAE10F0A7E5C13C4B48AB17C58933144DB36C18E6B173B68B8DE4F97
Reporter abuse_ch
Tags:dll geo Gozi POL ZLoader


Avatar
abuse_ch
Malspam distributing ZLoader:

HELO: cloudserver071398.home.pl
Sending IP: 79.96.81.24
From: Orange <komfort@kancelaria-broker.pl>
Reply-To: Orange <biuro@kalisz-ubezpieczenia.pl>
Subject: e-faktura 05.2020
Attachment: faktura_59.xlsm

ZLoader payload URL:
https://aonagenarian.eu/3/skp.dll

ZLoader C2:
https://militanttra.at/owg.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-29 07:21:59 UTC
File Type:
PE (Dll)
AV detection:
21 of 30 (70.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01173873e92d5dd520fa88e8587ec05c92e3f36f6136b8ff50fd1b0b13df1401
Gozi
1b4e008beb2b395e53648c9a246ecafcb3df0543c5236a40cdb976a2007bbf97
Gozi
1dd6f607717de939a61667dd9db86d4d0cf7a90f884af5fac81d35982d36c53c
Gozi
8564809c3aaa8e94463ec9ac0fb4e51c52c5e57a25ea09a997258184c656389a
Gozi
8914aa5433f7284881402dc27336d96baa74c6e7ce16f28531bb917c1dfa3e0f
Gozi
b580afe615e4e13cffbcd130379521dcfdd89c2b36a0ab1d4b5fef98814b141e
Gozi
bd0d1a5cc00640c72a4581df4d4c86caa627b07f1b8931920b9742855db35851
Gozi
e4bffaffaa1de9c8d8fcd49caf92c585277145c9a1d15f5d7a60e20ed1334e22
Gozi
eaf0b4e39ae638cad739fcba10d65e7807cf270ed6cfd650ade939af4d489088
Gozi
f54d245e7fdffb4b6886f2e68c401c4afde2637359aa5f0fb2b1a1c2eadde6c3
Gozi
+ 17 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:bot5 campaign:bot5 botnet trojan
Link:
https://tria.ge/reports/201109-r3b9njz16a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://militanttra.at/owg.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xlsm 29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366

Gozi

DLL dll 27b3c804921ba560e04fcff33f185c76b08bf4473fa7f1bb699645e6da86c52e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/371583/
  
Dropped by
MD5 a758f5bfaeb275b5dfaf5be55a8b087b
  
Dropped by
SHA256 29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366
  
Delivery method
Distributed via web download

Comments