MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8564809c3aaa8e94463ec9ac0fb4e51c52c5e57a25ea09a997258184c656389a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8564809c3aaa8e94463ec9ac0fb4e51c52c5e57a25ea09a997258184c656389a
SHA3-384 hash: 985c0034a38bc0d25b2a638aaf103960fec248e0d82c96d140dfd17ab43eba2c363cf0f0aabe4cc693a1849e1e31000e
SHA1 hash: 333a001fe1f4d46ba062bc3220ab361cbae9cf02
MD5 hash: 7f201ce3f9889a59fd62a0383e8dd918
humanhash: lemon-hotel-island-maryland
File name:rbs.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:662'528 bytes
First seen:2020-06-02 17:44:39 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9b6633e85c68c0277bf2da68b640f509 (15 x Gozi, 2 x ZLoader)
ssdeep 12288:yFyxomntU5cu7cGDD+pJ7ZwwF3E+pgsbRzFyWBaobi/jDnQAVVR/VUR:yFyxomntU5dapcuxpgCHmPjVR/VU
Threatray 70 similar samples on MalwareBazaar
TLSH 5EE4BE05B791D038F9B726F98EBEA1B8943D7DA05B2494CB23C41AEF55246F1AC30727
Reporter Anonymous
Tags:Gozi ZLoader


Avatar
Anonymous
Payload from .xls doc
https://tria.ge/reports/200602-5ahlgnjgxe/behavioral2

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 18:35:28 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01173873e92d5dd520fa88e8587ec05c92e3f36f6136b8ff50fd1b0b13df1401
Gozi
106e4f35cac5e72d0ff42e92e5b0fe1ebdb5cf31aa9ae9fa18073c924ec0e635
Gozi
16e5ddfcf4902431e2566a2a04424e1b0236d2958647bd57b7075be0013c3de1
Gozi
1b4e008beb2b395e53648c9a246ecafcb3df0543c5236a40cdb976a2007bbf97
Gozi
26625bd8081701ab5a248b4f6e726cd5ef07b43c817e5499b766f89980532952
Gozi
8914aa5433f7284881402dc27336d96baa74c6e7ce16f28531bb917c1dfa3e0f
Gozi
8e0238b207985132e60e6f5bc764a6756bce554f9c27b922f1d7e40950a3bbdc
Gozi
b580afe615e4e13cffbcd130379521dcfdd89c2b36a0ab1d4b5fef98814b141e
Gozi
bd0d1a5cc00640c72a4581df4d4c86caa627b07f1b8931920b9742855db35851
Gozi
f54d245e7fdffb4b6886f2e68c401c4afde2637359aa5f0fb2b1a1c2eadde6c3
Gozi
+ 60 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:bot5 campaign:bot5 botnet trojan
Link:
https://tria.ge/reports/201109-9lpsqx4v3n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://militanttra.at/owg.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

DLL dll 8564809c3aaa8e94463ec9ac0fb4e51c52c5e57a25ea09a997258184c656389a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments