MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc32eb0fb5c35376f69a3d6b81fdb339309d06d80a2cffa2604e21012ac33c18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc32eb0fb5c35376f69a3d6b81fdb339309d06d80a2cffa2604e21012ac33c18
SHA3-384 hash: 446681b025681401d005b205a420e65ea7b4bddba3f0c3366874e5586c00eb845f5dbdade66990928e7156840b5714be
SHA1 hash: dfa20b8e4a4725f37698c15ef5e50b3badffd3d4
MD5 hash: 62c04a23f403f3d431198326448ffc24
humanhash: floor-social-arizona-seventeen
File name:y.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:966'144 bytes
First seen:2020-05-20 15:29:24 UTC
Last seen:2020-05-20 17:04:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5bcf15fb33cbd342e39f3dfc58a37026 (1 x Gozi)
ssdeep 12288:0R5P2zVugjMyB8H9uVPnEyeR9ycrn8F0NbgZ8HTbrk0ruQn2aIMJG1vH6G1OtaEK:cH9+EyBcICHfQ0ruQn2IGzOt
Threatray 41 similar samples on MalwareBazaar
TLSH ED253810B600D12AE9BA35B8CC69D2FDA45C7E95CF2154C7B7C82FEF66365D0A93120B
Reporter James_inthe_box
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4538/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 15:28:51 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
1267b822cde1edabfc063458232a5ed9ea03652416de96b8d12ecb1058c86e23
Gozi
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Gozi
385be4267e9aaadfb82815d54dde7fccbd0d1b843aa3c4062ef752a9378ae02e
Gozi
39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9
Gozi
6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1
Gozi
692c58e28e0f0346adfbad2356dd8495ec8f07718ee40db171b50e8870526f96
Gozi
7d5ef8e6c5738ebc13718eee67f0b6cc354f3e28b135e4a378f69d57043299b8
Gozi
abe31666e7b408ed139ba7452f70d3f633b7cc7ce0de9de8b8c6489f47a34df8
Gozi
b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530
Gozi
ccf1e6416673f50f016cfa1658e9dd29793195b9bc701fedc1218d122faeb6b2
Gozi
+ 31 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:miguel campaign:20/05 botnet trojan
Link:
https://tria.ge/reports/201109-jhynv6gphj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://letssihamra.gq/wp-parser.php
https://puffmenscourtcomenthy.tk/wp-parser.php
https://thurlopetnyi.cf/wp-parser.php
http://blog.menusmile.com/wp-parser.php
http://setindgrp.com/wp-parser.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/365391/
Cape
Cape
https://www.capesandbox.com/analysis/4538/
Cape
Cape
https://www.capesandbox.com/analysis/4537/
Cape
Cape
https://www.capesandbox.com/analysis/4437/
Cape
Cape
https://www.capesandbox.com/analysis/4433/

Comments