MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157
SHA3-384 hash: be177efbcf6fd9509c3435a455bb2959fca26435655ad7ec16ec4ef52d67d8a6530180211d5dbdbe97c5f6659de77430
SHA1 hash: a0a408eada84a05ef3d95036c0ecc10b4792ef40
MD5 hash: 4e506afde33fa1eab20894aa1c982542
humanhash: colorado-three-fanta-mirror
File name:1966646856.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:111'566 bytes
First seen:2020-04-06 07:34:27 UTC
Last seen:2020-04-06 08:50:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2055bd5e5e13dc5dbf1dd934f372f818 (1 x Gozi)
ssdeep 3072:9I6JQGuHlBhl45ik04Bn5n/An2/997oizgEnZJcGBa5G0dUvJ:LeZvk04Bn5n/An2/99UungbdqJ
Threatray 666 similar samples on MalwareBazaar
TLSH 7DB34B25B364BD5DC46D493231789EF789D8EC7C1006A04AB745FF826CB53FA8826F92
Reporter abuse_ch
Tags:exe Gozi Ursnif

Code Signing Certificate

Organisation:Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Mar 28 00:00:00 2020 GMT
Valid to:Mar 28 23:59:59 2021 GMT
Serial number: CA987A78A2E25FBC1A51519746B5B933
Thumbprint Algorithm:SHA256
Thumbprint: 7932BCB6860612A04BF613C9C973EA35E94B1366E46F6A60F1EC3A6EB2182FD3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing Gozi:

HELO: smtp95.iad3a.emailsrvr.com
Sending IP: 173.203.187.95
Subject: doc - 819339330 - AU819339330
Attachment: halardocko-819339330.xls

Gozi payload URL:
http://www.accursomacchine.com/indigo/indigoman.php

Gozi C2:
https://dropshipbear.xyz/index.htm (46.29.165.151)

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Gozi-7650608-1
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 07:35:27 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
23155ae9b7f7b7884dfdc820fd77f7600875dafcf39df4d941240f90fe06ae2d
Gozi
278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
Gozi
2b648f76aaae28bfbe8e9e4be3db323aefd3933a60ad6ec4d1847b78d8282a3f
Gozi
30c57f5803c861c2d36fc003f855ee9857e4aebc864be6b9f898176f93e3cbd3
Gozi
562b6f9799bf19a42aa840a2f7178cc11bce20110ade85cf354a57dd0b569824
Gozi
6e079394b3a3085d572975115b334d813a79cd5833509b6afa45542687a5dfce
Gozi
89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5
Gozi
9ee6e02a3e8070a4d501f7033f54d17781d2d4f43bf3b0717e15d63a1fa2e145
Gozi
b3080e3dea927ae5c6d02fad35de244bf93c1d2594ad0d8cfb3900aaaa014f30
Gozi
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
Gozi
+ 656 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xls 523fa81255fdb2a9653295824aedc0a32344a159635e568935a9e76bdaa3d411

Gozi

Executable exe 5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/335612/
  
Dropped by
MD5 0990ef3572a1fae9733dbdafb23cf624
  
Dropped by
SHA256 523fa81255fdb2a9653295824aedc0a32344a159635e568935a9e76bdaa3d411
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::ScrollConsoleScreenBufferA
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetConsoleCursorPosition
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::GetOpenClipboardWindow

Comments