MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9b7021255f515544819e0d0d7fc650a7c2f373efbd6582761679f2ae6ce05cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9b7021255f515544819e0d0d7fc650a7c2f373efbd6582761679f2ae6ce05cc
SHA3-384 hash: 6371afb1dd774caf72e57556161cb1f9caae0505208dc76c2585d397f36b477ae031050d030d9d154704aac7ed03c380
SHA1 hash: 2567a5689aa961855dcdbb979ecc140470e89577
MD5 hash: c359fa6fc497ab698a9639ddd183c6d2
humanhash: violet-charlie-arizona-gee
File name:SecuriteInfo.com.Trojan.Agent.ERUS.7646.2652
Download: download sample
Signature Gozi
Create hunting rule
File size:679'936 bytes
First seen:2020-06-05 12:43:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f9b9221f67b0fccc2e9a35bec3a33d30 (5 x Gozi, 3 x ZLoader)
ssdeep 12288:bHMY2akXvNE8jI0pNOG/yin1bb6H9UoyLRAq6BdnbbXO+uVBzSeiTzF:gy6NE88KwitR6H9xWRPYOBzqX
Threatray 120 similar samples on MalwareBazaar
TLSH 19E48D1277B04024F6BB1BB854FB11659A7E7ED09738C5CB43C022EA4AB7AD0AE34757
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

SecuriteInfo.com.Trojan.Agent.ERUS.7646.2652.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 13:22:59 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
zloader
Create hunting rule
Similar samples:
0eb287052bad63c28c2ddb52722b87a40331cb41806e494cd4d83c8b409c6178
Gozi
244bd22b299305418f66c5a6239c70bdc5eced7c0464210feaac591301241cd5
Gozi
73abd3856eaa081063998925894e6a335b1ef4a79434eddd312ef15cccf2360e
Gozi
8179cb45ba2d6df0d25f9e1f382c5b9e8b9b703e4404fa19a9002c78418dedea
Gozi
998014de6243f054fde2ba82c0c094313b59bc040bd5940a47163e383760af9b
Gozi
9ce2908edf0994f493926514628054634858340fb73f219c38c013f34dd9a429
Gozi
a07a359c59be4c8213ab755da287c7bf2da497415185e1c434b55cad6af544de
Gozi
ccdee30c90b6f380a5596715bd42f7694814c859ca9b3da00fe9918b22ffd715
Gozi
e283e238a6df23efffad6f388ccc2de0b1e6f072fd6fb4eaed8065aa1d5a5aec
Gozi
fd8c062ff0b80d0560a5c239f9a035e821053ff0ee1e3907c88bb4a4b04fee30
Gozi
+ 110 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:bot5 campaign:bot5 botnet persistence trojan
Link:
https://tria.ge/reports/201109-ede32ckk2j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://militanttra.at/owg.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments