MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507
SHA3-384 hash:	2b48a6bc07c799f3d6e8570f169c88571a0f6e11a8b9be5124581f375fb1100dd9c54a11870cd111ed56f87fc1b3de0e
SHA1 hash:	51a61bcddc41f5fba51d1d9ea85e156587867174
MD5 hash:	b39a6f06e279f02fc14cefc4d13895b2
humanhash:	purple-cola-failed-september
File name:	b39a6f06e279f02fc14cefc4d13895b2.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	201'216 bytes
First seen:	2021-03-01 07:38:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88384b367df16111b74c6c6834f090e6 (4 x RaccoonStealer, 2 x Loki, 1 x TaurusStealer)
ssdeep	3072:SON92X2ui4xrUL31O9FQ0yx5FTwRez2MgQToann76sXa1rGKYNnn:73eiYrULlWyx5FTwMz2hQToan7nkGV
TLSH	65149C2175D2C473C092153148F1C6B5AA7ABCB54B255ACFBB943B7E9F313E28A36342
Reporter	abuse_ch
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b39a6f06e279f02fc14cefc4d13895b2.exe

Verdict:

No threats detected

Analysis date:

2021-03-01 07:48:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ab00c460-7eb6-4ede-812e-98e525efa566

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Ursnif3

Link:

https://www.capesandbox.com/analysis/120151/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

DNS request

Searching for the window

Deleting a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/621774

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-03-01 07:38:24 UTC

AV detection:

15 of 48 (31.25%)

Threat level:

5/5

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:6565 banker trojan

Link:

https://tria.ge/reports/210301-32y3s19tdj/

Behaviour

Gathers system information

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

updates.microsoft.com
klounisoronws.xyz
darwikalldkkalsld.xyz
c1.microsoft.com
ctldl.windowsupdate.com
195.123.209.122
185.82.218.23
5.34.183.180
bloombergdalas.xyz
groovermanikos.xyz
kadskasdjlkewrjk.xyz

Unpacked files

SH256 hash:

ba63c14d0972a3bed8b8813954b4ddeaa8ef733afac9ed3a86372bfc87a2aa97

MD5 hash:

01bbf9a59beeb52288bdec21980db6e7

SHA1 hash:

ca85f5df9b2572f5a1606eeabee646dc871a9712

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/1ed37a3e-f200-47c3-b4f2-5a811a6dd500/

Parent samples :

77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
33b931c8f19d3ef8b354cc7ca24ebfbb2cdf2b83e5717b1dd7c81cef80238591
9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507

SH256 hash:

212c7749009c09c17d7ead92ec3c07e9c26964c26a05d1594420fb5d5ea537d6

MD5 hash:

5d9099deeb748e2caca4fb40eeedbe7b

SHA1 hash:

5308bf3bdd37f81556313c7c852a5878a1929121

Link:

https://www.unpac.me/results/1ed37a3e-f200-47c3-b4f2-5a811a6dd500/

SH256 hash:

1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507

MD5 hash:

b39a6f06e279f02fc14cefc4d13895b2

SHA1 hash:

51a61bcddc41f5fba51d1d9ea85e156587867174

Link:

https://www.unpac.me/results/1ed37a3e-f200-47c3-b4f2-5a811a6dd500/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	Ursnif3 Create hunting rule
Author:	kevoreilly
Description:	Ursnif Payload

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator