MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18
SHA3-384 hash: 97465c8396d039030f8aea8e7863f7f68ed71df2087d642b6344323fb821433df2a7e4f1ea4940971e3ec74002fdde31
SHA1 hash: c94ab8ee724e4b68b24bb633c58e0e5eadb3a7c1
MD5 hash: 37a3cfe9365b881510b83a65dcf6baa5
humanhash: hydrogen-autumn-double-nuts
File name:5ed77ff64d9b6.tiff
Download: download sample
Signature Gozi
Create hunting rule
File size:226'304 bytes
First seen:2020-06-03 11:11:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash abb2786856e31b28b994064b6f6db952 (2 x Gozi, 1 x ZLoader)
ssdeep 3072:8pMXRAkn59e1Qlh1kifVrGJYFGG9mTDezop7FppVKxfEhdHuZLlLlXcNXFSFFqbk:0t1ugAtGG9XxUVSe
Threatray 134 similar samples on MalwareBazaar
TLSH 4724CF6136B44432F24B8B3D28A381618A7EBDC8977CC1D367C123975BA72C186B97D7
Reporter abuse_ch
Tags:geo Gozi isfb ITA Ursnif


Avatar
abuse_ch
Malspam distributing Gozi:

HELO: it
Sending IP: 130.0.189.48
From: amm093@brt.it
Subject: Fattura BRT S.p.A. n. 59348 del 03/06/20
Attachment: Fattura_91244.xlsm

Gozi payload URL:
https://bizzznez.com/

Gozi C2:
https://bizzznez.org/images/

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 11:37:33 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
51710ac663a6fd3bc7f166045d4cb38b1e1796195b4aab057b4133df8db9ef8b
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
c29378cbc2cf94c0c8e5245b0cccb263b648a2782eb8b3f3871fe1aada22b8fd
Gozi
c85d0da5fe543408376ed6c916d5e498aadc0b5f75be0ddc59a4efe3da5fff07
Gozi
cb27ecf6bee0620962aa33d1fc0496a1a201b80b67b446fa9d25a9e67e32abca
Gozi
ceafed22728ab72aa4a74dc2fc96d54b85ec0432ef0c97a4497075cc802109d3
Gozi
d172a71154aa9f8859c5ae2271c0ba716e772a99a23273818bc9a1fe8ee1a5d2
Gozi
dc0df8f5ee0e898e069643a84cbc8154d6191f081665e245f1a9e2085028062f
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
+ 124 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201109-s7l9cf3s6n/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xlsm c4bdbd1712e21e7d5703e23691704042fd8c067b09a43cef643723c149946005

Gozi

DLL dll 3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/376149/
  
Dropped by
MD5 1d7d64d36d37449e514add9baa34139b
  
Dropped by
SHA256 c4bdbd1712e21e7d5703e23691704042fd8c067b09a43cef643723c149946005
  
Delivery method
Distributed via web download

Comments