MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78
SHA3-384 hash: 4df75f1bf6d5a60b0a33c9b85118676e34008b699030f779e90a2c815bc65ff14e2e6f65787d4a5bad99124a8426de5b
SHA1 hash: b56036ba62b0bed644d8a443baf02d1816bc5feb
MD5 hash: 4cc0a494b74196b611a6d85a49b1e232
humanhash: mars-march-orange-football
File name:pit.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:219'648 bytes
First seen:2023-09-19 06:37:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a43f06494f4b57894e755b6728f01152 (3 x Stealc, 2 x RedLineStealer, 2 x Gozi)
ssdeep 6144:60DOLAvY9Am/Pupmm70oFRhCM4IlS/+NT:6XEvY9r3i0KtEG5
Threatray 149 similar samples on MalwareBazaar
TLSH T1E324BF123592D4B2D7A741354824CAE4AA7FB8735E27898B376C3F7F3D312929B65302
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020605010a183000 (1 x RedLineStealer, 1 x Gozi)
Reporter JAMESWT_WT
Tags:62-173-145-113 exe Gozi serverlogins-com Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449569/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/650941cb83a0c6425df90b58/reports/9fc0a44f-ff92-4b86-bc0a-eb41296cb182/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e50465f0-7385-48aa-915c-7e6172892cf8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310565
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 06:36:04 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brxmbd346dd6ekcmvocqhcglremtghnsecpbvbawtqawimddr54a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2fdcf826f3200f1f19ae9468932cce1c9afb202388d9eaf57348c01bdcdccc95
Gozi
623284a27c89c60d20b36cdba1f62fa5d0a2b3f2262dc737fc36e879644df7f5
Gozi
6b82d78ff4d6f55b4b66ed8410897cec1e845d65ba8f9e77f4f0e4ed499a0d1c
Gozi
9a283b96743a414650fd06fe5d2bcb4f973f793a27bfff7febefcd78ab07d968
Gozi
b94a454399232bb541b952c27fd158c8ddb4cbd3ec28633c63ae7187ad0adbe2
Gozi
cd10d150eef5383972a6c479e1c85f259874828aa33aae2da36b118b4fcc6961
Gozi
e504292e217c9dafb42faf8f3fde8e1b0360da9486ce6f045857c3b0ccd00006
Gozi
eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec
Gozi
+ 139 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/230919-hd2spshd43/
Behaviour
Gozi
Malware Config
C2 Extraction:
https://avas1ta.com/in/login/
192.121.22.216
http://mimemoa.com
Unpacked files
SH256 hash:
17bc4a9ae4fb31afa2d08995ff00d21faf66154b406d0505c65667c49e49e8f0
MD5 hash:
503fd118bd1aeef9d3b3f2cf9f34556a
SHA1 hash:
f0f57c917bf4805f3dda820a7263ac797402caa6
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7603bd1b-14d0-4a7b-8d6d-70554b72842c/
Parent samples :
1c57d98519e5b1381e69949076bd8eefca421b90a51f15220a1092afbc7631b3
9a73aac68d8941fa339bf2b9d12c2ddabc734cf94d0070cbd5c8b7e25ee92f29
4151f81469e5278e9381d10485efbe66e4ca5d8c2f863aa4c3df8e577dc96614
326ad767ee63a1d88df314fc691c55cbf3e5b90985d858a649ccede0661f584d
573ecacb1ccfd4965e899ed3bb811181bf78b62399e10a5690491eb199e0291c
6b82d78ff4d6f55b4b66ed8410897cec1e845d65ba8f9e77f4f0e4ed499a0d1c
0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78
SH256 hash:
1db9fd7c77e9d35d32cff1ca2bddbbc31bd4b323c9dd1d7cb52e605536b9b550
MD5 hash:
cf3cbbb1bccf01113df9f3a93abc2b83
SHA1 hash:
985d9d82c6963b2a97004258b164afae8c1fcb63
Link:
https://www.unpac.me/results/7603bd1b-14d0-4a7b-8d6d-70554b72842c/
SH256 hash:
0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78
MD5 hash:
4cc0a494b74196b611a6d85a49b1e232
SHA1 hash:
b56036ba62b0bed644d8a443baf02d1816bc5feb
Link:
https://www.unpac.me/results/7603bd1b-14d0-4a7b-8d6d-70554b72842c/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c6ec08f7cf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 0c6ec08f7cf0c7e2284cab850388cb8919331db2209e1a84169c016430638f78

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/449569/
  
URLhaus
https://urlhaus.abuse.ch/url/2712457/
  
Delivery method
Distributed via web download

Comments