MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f61fcafad37cc40632ad85e4f8aa503d63700761e49db19c122bffa7084e4ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f61fcafad37cc40632ad85e4f8aa503d63700761e49db19c122bffa7084e4ec
SHA3-384 hash: 118e4f9a1ce738c5fbd7dfc2e39396488ccff7c30dc48931f187327c34ad40072abfa39a05d09ae5ca3593b4fa9f460a
SHA1 hash: e3e98f6f780c54a86af046a8612b984dbbe16a24
MD5 hash: 838c6c76b5f43793ba6a966ff3cfe1bf
humanhash: johnny-paris-alanine-harry
File name:y.rb
Download: download sample
Signature Gozi
Create hunting rule
File size:431'792 bytes
First seen:2020-06-10 07:24:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fcebffbbda4c8d1cc8d1a46cc8391765 (1 x Gozi)
ssdeep 6144:MG/nMeCMDNS1wz3YpxG7Y2nwT6ESpRJMu+uzZVqcNa:ZfM8DNS1wkb52USH9V3Na
Threatray 381 similar samples on MalwareBazaar
TLSH 8794013955AFC617EE3589B08F6A4092743306A13DBECC9FD267160EECAE4F90278157
Reporter JAMESWT_WT
Tags:Gozi

Code Signing Certificate

Organisation:BCJTJEJXDCZSKZPJGJ
Issuer:BCJTJEJXDCZSKZPJGJ
Algorithm:sha1WithRSA
Valid from:May 28 17:20:11 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 753AAA57CAEA3484413AEA6797377472
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: D6A32E037403FC8A36A606D42D5638CC9C7D7A1FFF579731CB85B7B1F2AC1985
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 21:41:02 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
18d16e00c1aec23905194caa6929efd4af4a8613cfec674e0752033a891b7c33
Gozi
52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f
Gozi
54605638380151e63c23aa77cb6ecf309fb943eb9f7e4d96c1dce197c2bddf21
Gozi
77ded4f64eec0094fdfa843dfe4f36a559fbf8fa5c39fda7b63013def76ace7b
Gozi
8116f086d5b222ea6d3ac385bbc8f3a88c19f920435e1ba274a1f46702ab10a2
Gozi
ae618e94c64b10307de3193efe693ba4cf0ea371a662038f705ba00779ad4f40
Gozi
b9127a38c105987631df3a245c009dc9519bb790e27e8fd6de682b89f76d7db8
Gozi
d5b2b88dab809a7cc7688d6358c2b2d78b0f5278c72226f79673fce1bfe3aafa
Gozi
d8885ce1f08167becda151811c6519af1bac2ad835acf60c7fa1130dad28fcd7
Gozi
f2f44eec27272e3c0005982960896ab57da9a745ab2d4a1249da3fc8eddfad30
Gozi
+ 371 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:ursnif banker trojan
Link:
https://tria.ge/reports/201109-4242dbbpwn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Program crash
Ursnif, Dreambot
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments