MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1
SHA3-384 hash: a484a4a2496de753ed9924b7c4eae4b738e141819ff3823fc7a9d22ab27af86ff139112111a8f8d5225fc0378c2558d7
SHA1 hash: 69e3f9bbbf147d317da8bd59de3cdb3ca9043c6d
MD5 hash: ff1ad63517df53adaefcbeecf71311a1
humanhash: tennis-island-double-green
File name:s.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'083'392 bytes
First seen:2020-05-15 06:49:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e5b38e14e280e455beee0355833e1519 (1 x Gozi)
ssdeep 24576:4Bi+phcIJXxh60nA2QWXRE/tosVdCeKOkFDogAnpd5:4k4hcYXxA8P6OsCe1kF6pd5
Threatray 30 similar samples on MalwareBazaar
TLSH 82359D00B7519138F8BB06F99D7EA1AC993C7E601B2854CB72C469DF6A25AE0FC31717
Reporter abuse_ch
Tags:dll Gozi ZLoader


Avatar
abuse_ch
ZLoader payload URL:
http://45.138.72.39/g/s.dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3782/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33845749.25770.29053.UNOFFICIAL
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/356784
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Zloader
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 15:29:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
1267b822cde1edabfc063458232a5ed9ea03652416de96b8d12ecb1058c86e23
Gozi
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Gozi
385be4267e9aaadfb82815d54dde7fccbd0d1b843aa3c4062ef752a9378ae02e
Gozi
692c58e28e0f0346adfbad2356dd8495ec8f07718ee40db171b50e8870526f96
Gozi
7d5ef8e6c5738ebc13718eee67f0b6cc354f3e28b135e4a378f69d57043299b8
Gozi
abe31666e7b408ed139ba7452f70d3f633b7cc7ce0de9de8b8c6489f47a34df8
Gozi
b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530
Gozi
cc32eb0fb5c35376f69a3d6b81fdb339309d06d80a2cffa2604e21012ac33c18
Gozi
ccf1e6416673f50f016cfa1658e9dd29793195b9bc701fedc1218d122faeb6b2
Gozi
e4bffaffaa1de9c8d8fcd49caf92c585277145c9a1d15f5d7a60e20ed1334e22
Gozi
+ 20 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:miguel campaign:14/05 botnet trojan
Link:
https://tria.ge/reports/201109-th2h7wr3zj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://kickapoochiefsfootball.com/wp-parser.php
https://appsbispo.tk/wp-parser.php
http://staging4.allemny.net/wp-parser.php
https://dinghaomcc.com/wp-parser.php
https://bondarenkopjatk.ru/wp-parser.php
http://euromix.com.ua/wp-parser.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

4b4101e690aa85f401ad09ad6059f4a28d1a4e1784e87d5e6d5eaabc21d6715f

Gozi

DLL dll 6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/363051/
  
Dropped by
MD5 4cb5778cde1fb3cca02c39d359986c83
  
Dropped by
SHA256 4b4101e690aa85f401ad09ad6059f4a28d1a4e1784e87d5e6d5eaabc21d6715f
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3782/
Cape
Cape
https://www.capesandbox.com/analysis/3781/
Cape
Cape
https://www.capesandbox.com/analysis/3699/
Cape
Cape
https://www.capesandbox.com/analysis/3698/

Comments