MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5
SHA3-384 hash: c1449842dd22a70ca42cfdd1047cb8357a7a0142e249fe0a0c3b1f802335c6c9c3797ebca60ea76239457755456fe89e
SHA1 hash: ee81785613a083c7f9dc9f5a3cd118edc0765e6b
MD5 hash: 602eea50fa54c663f20789d1e16471d2
humanhash: cola-oranges-bravo-harry
File name:415sdf5.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:723'661 bytes
First seen:2020-04-09 07:19:18 UTC
Last seen:2020-04-09 07:54:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 51b507fbe9b18715acaee3db25dad789 (1 x Gozi)
ssdeep 1536:NXA1XoyWW6WBZO3O9uBDpn+0si1/OIvgS9AbW0j5+:WKi6+59uBF4TmAp
Threatray 704 similar samples on MalwareBazaar
TLSH 3FF4BF65D388203EE0E26EF55B55693360301A4A160B8DDD3BCFA796B8752C3CF25BC5
Reporter abuse_ch
Tags:exe Gozi Ursnif

Code Signing Certificate

Organisation:Tea Factory S.R.L.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Apr 3 00:00:00 2020 GMT
Valid to:Apr 3 23:59:59 2021 GMT
Serial number: 30FA5A4E3EDE7987AAC8C92E652FCCDB
Thumbprint Algorithm:SHA256
Thumbprint: C12E05886A6B3F8CFBA5C58E39618A35DFA0EDCD4BB4F07AAEDF4AEB53147714
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Gozi malspam sent from Rackspace IPs:

HELO: smtp99.iad3a.emailsrvr.com
Sending IP: 173.203.187.99
From: info@servicesaustralia.gov.au
Subject: RE:Transaction 635795261
Attachment: Medicare - 635795261-635795261.xls

Gozi payload URL:
http://www.reyvencontracting.com/ray/pom.php

Gozi C2:
guiapocos.xyz:443 (91.211.246.148)

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Regotet-7660361-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2020-04-09 07:35:51 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rekgor7dfy6gihaflbp7pauhjlwkogbzr4mju7odpxiotnkyswsq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
23155ae9b7f7b7884dfdc820fd77f7600875dafcf39df4d941240f90fe06ae2d
Gozi
278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
Gozi
2b648f76aaae28bfbe8e9e4be3db323aefd3933a60ad6ec4d1847b78d8282a3f
Gozi
30c57f5803c861c2d36fc003f855ee9857e4aebc864be6b9f898176f93e3cbd3
Gozi
562b6f9799bf19a42aa840a2f7178cc11bce20110ade85cf354a57dd0b569824
Gozi
5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157
Gozi
6e079394b3a3085d572975115b334d813a79cd5833509b6afa45542687a5dfce
Gozi
9ee6e02a3e8070a4d501f7033f54d17781d2d4f43bf3b0717e15d63a1fa2e145
Gozi
b3080e3dea927ae5c6d02fad35de244bf93c1d2594ad0d8cfb3900aaaa014f30
Gozi
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
Gozi
+ 694 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xls c56babeec925f9bd511e59edb7f2d66b45c9d297d1f03a612bcd56482aa95917

Gozi

Executable exe 89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/337197/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 c56babeec925f9bd511e59edb7f2d66b45c9d297d1f03a612bcd56482aa95917
  
Dropped by
MD5 951de6125054ce6bcee9cd9ecf553ede

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteEx
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoW
SHELL32.dll::SHGetFileInfoA
SHELL32.dll::SHInvokePrinterCommandW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowW
USER32.dll::OpenClipboard

Comments