MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Gozi
Vendor detections: 3
| SHA256 hash: | f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25 |
|---|---|
| SHA3-384 hash: | 291220c4ff345ea812dda5c26479d76c1f9b227b7758f7152a1edb90024bba335f969b2ee290008baa9369a1077a9aec |
| SHA1 hash: | 7926eb5dc593c8a82bd5b7aecbbcd1255f4e6685 |
| MD5 hash: | b31b8740568360abdfcf934916c65bca |
| humanhash: | pasta-king-missouri-steak |
| File name: | 1266ono38832_1.exe |
| Download: | download sample |
| Signature | Gozi |
| File size: | 966'850 bytes |
| First seen: | 2020-04-03 08:27:23 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 31d615ba2a4b158be24600919b8d17f1 (1 x Gozi) |
| ssdeep | 24576:ef2hkHvvtppyIOThBmM4IUEJYtUs3SLnxDZnExUwNLA+l:efRvByZPsiLxG |
| Threatray | 607 similar samples on MalwareBazaar |
| TLSH | CF25A049BBE68475E9EE257700290B3D0A319D016810C72373FC745D8AEB766B92E3ED |
| Reporter |  abuse_ch |
| Tags: | exe Gozi |
Intelligence
File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Gathering data
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-04-03 08:35:24 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
25 of 31 (80.65%)
Threat level:
2/5
Verdict:
malicious
Label(s):
gozi
Similar samples:
+ 597 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Distributed via e-mail link
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CreateStreamOnHGlobal |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetSystemInfo |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::DeleteFileW |
| WIN_HTTP_API | Uses HTTP services | WINHTTP.dll::WinHttpOpen |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::CreateWindowExA USER32.dll::CreateWindowStationA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.