MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16dd0142263b0ecdd025ec808a6bdd74277eee53c1d9d6c603aafe460f9431d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16dd0142263b0ecdd025ec808a6bdd74277eee53c1d9d6c603aafe460f9431d1
SHA3-384 hash: 266e89c161c0536e183cfd3e032c4c356744fcdefc944c4e543ab803bbf6c4817e89a1f37ce27aec3c4369c41bd02403
SHA1 hash: c76396617dea8f799767b604bad11ae462a95680
MD5 hash: 5c9cc62723d18f4ba2fbdef4fbd63f37
humanhash: green-speaker-vermont-jig
File name:dws.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:518'656 bytes
First seen:2020-06-03 18:07:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 03d2bc599c55bd5b2fb46da82b90ff7c (8 x Gozi)
ssdeep 12288:v/4qkMxNyHaVbBvXA2odiPyig6SnbKcn1Skkps3FsAT:Imw2BvXAdiKMUyAT
Threatray 146 similar samples on MalwareBazaar
TLSH ADB49E6237F80411F2BB4F3848F205119BFEBED5D978C69947C1229909EB290AB7C797
Reporter abuse_ch
Tags:dll geo GMX Gozi POL ZLoader


Avatar
abuse_ch
Malspam distributing ZLoader:

HELO: mout-xforward.gmx.com
Sending IP: 82.165.159.130
From: PLAY 24 <hymie5xeobut@mail.com>
Subject: efaktura
Attachment: faktura_484.xls

ZLoader payload URL:
http://ogglededibl.at/3/dws.dll

ZLoader C2:
militanttra.at

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Cridex
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 18:35:32 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
zloader
Create hunting rule
Similar samples:
244bd22b299305418f66c5a6239c70bdc5eced7c0464210feaac591301241cd5
Gozi
53334b2b8901c9cfb03dfb61eee7fd5a86a15d3d5bcea947349fb7e9f991e5d6
Gozi
624dc347ad3d5ec7699556183514164d575178edc25fa6cf82d6156fe8924f53
Gozi
8179cb45ba2d6df0d25f9e1f382c5b9e8b9b703e4404fa19a9002c78418dedea
Gozi
9aba8d09a3add66da1fb109075cfe60daf120e7513bc11b7a723634c4d14d859
Gozi
9ce2908edf0994f493926514628054634858340fb73f219c38c013f34dd9a429
Gozi
ab92b7c54f6fb064001b3dadf306f85efa7344fc9efa88070bbcd91164e80af2
Gozi
b35ad69768a7ce3db49edb414b855e06236cc9948616b055bd2503e83c2564e7
Gozi
c819184cbc9744c16063570200bea44d1eb2d7e99967b2e8153bd65634f883a2
Gozi
f0276fc95acef71224471aecf0450febfc4b35e8ee9a98d97ce3cf39c669dd33
Gozi
+ 136 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:bot5 campaign:bot5 botnet persistence trojan
Link:
https://tria.ge/reports/201109-x3a4m94xfa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://militanttra.at/owg.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xls b9e136a876d61f7c3404b47669c84999635c1728d588391933e933b2e729e206

Gozi

DLL dll 16dd0142263b0ecdd025ec808a6bdd74277eee53c1d9d6c603aafe460f9431d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/376295/
  
Dropped by
MD5 103956f35c51a30caee41b95c0628b27
  
Dropped by
SHA256 b9e136a876d61f7c3404b47669c84999635c1728d588391933e933b2e729e206
  
Delivery method
Distributed via web download

Comments