MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe31666e7b408ed139ba7452f70d3f633b7cc7ce0de9de8b8c6489f47a34df8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe31666e7b408ed139ba7452f70d3f633b7cc7ce0de9de8b8c6489f47a34df8
SHA3-384 hash: 04f31b5f61fe5d63b6b491bfd3a376003ea5a3ddab5e8d831a9ed6e39b817c918232f3a969c36894936ce8dbdbb9e23e
SHA1 hash: 224f9ad58d323a9275c444accd753e85bd136de1
MD5 hash: 73901da4dd68170dd35059791789d777
humanhash: missouri-bacon-magazine-wisconsin
File name:tu.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'162'240 bytes
First seen:2020-05-26 16:24:34 UTC
Last seen:2020-05-26 17:02:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8a9eb8902462e936ba5087615507f564 (1 x Gozi)
ssdeep 24576:B4ggX/qn/7qE6uAyyirYmbna0CPL81QYH:Zgvqn/GE6Jy5MmzUotH
Threatray 38 similar samples on MalwareBazaar
TLSH 47358D40B791D035F9FB0AB98D7991AE593D7E610B24D0C7A3C06ADF1A366D4AE30713
Reporter abuse_ch
Tags:dll Gozi ZLoader


Avatar
abuse_ch
ZLoader payload URL:
https://pensstomductchatlihet.tk/ew/tu.dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4882/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 16:36:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 48 (39.58%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
1267b822cde1edabfc063458232a5ed9ea03652416de96b8d12ecb1058c86e23
Gozi
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Gozi
385be4267e9aaadfb82815d54dde7fccbd0d1b843aa3c4062ef752a9378ae02e
Gozi
6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1
Gozi
692c58e28e0f0346adfbad2356dd8495ec8f07718ee40db171b50e8870526f96
Gozi
7d5ef8e6c5738ebc13718eee67f0b6cc354f3e28b135e4a378f69d57043299b8
Gozi
b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530
Gozi
cc32eb0fb5c35376f69a3d6b81fdb339309d06d80a2cffa2604e21012ac33c18
Gozi
ccf1e6416673f50f016cfa1658e9dd29793195b9bc701fedc1218d122faeb6b2
Gozi
eecaf5677c5c21d268261eef35a819549dda3c454e9b60e368070aa3bfd2f54c
Gozi
+ 28 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:26/05 botnet trojan
Link:
https://tria.ge/reports/201109-j9n46amy9n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://cripuntisispoi.tk/wp-parser.php
https://unesrafho.cf/wp-parser.php
http://sannyjewelry.ir/wp-parser.php
http://printgenerator.sundaytimes.lk/wp-parser.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll abe31666e7b408ed139ba7452f70d3f633b7cc7ce0de9de8b8c6489f47a34df8

(this sample)

  
X
https://twitter.com/DynamicAnalysis/status/1265315923671617538
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/369515/
Cape
Cape
https://www.capesandbox.com/analysis/4882/
Cape
Cape
https://www.capesandbox.com/analysis/4881/

Comments