MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29bf6be1fa9e4b72bb9e2eeb8156ea1c03311d157d1bb28a0cea1328c6fd473d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29bf6be1fa9e4b72bb9e2eeb8156ea1c03311d157d1bb28a0cea1328c6fd473d
SHA3-384 hash: 2a05e3f09e7d4e80246d22e5c680fd161cde861bc05f7e412e3833ff6f0fbb01657ab6081899f52239b8faf855761e3c
SHA1 hash: 1b7b9c5eb0d0833f3c0ea3be7722b17f49feb8df
MD5 hash: ee8e5877f3881c8d3af4cad93479a56c
humanhash: failed-september-indigo-nineteen
File name:29bf6be1fa9e4b72bb9e2eeb8156ea1c03311d157d1bb28a0cea1328c6fd473d
Download: download sample
Signature Gozi
Create hunting rule
File size:741'376 bytes
First seen:2020-05-11 13:41:30 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 70b9ed596b6e9d4b470e4eaa71257518 (1 x Gozi)
ssdeep 12288:Rs8oLS2In7egvllvML8iQ5fU4b26fnW9eQ7tF6CsRXGdsS+FrYQV1mXNLMr3NDlp:Rs8oLS2In7Dl0L8v5nfWz7tTsRXGdsSX
Threatray 66 similar samples on MalwareBazaar
TLSH 88F42820364DE235C9A906319C62FAFC00757E1DEF125E1B76EA3F1FF6B05418979A0A
Reporter JAMESWT_WT
Tags:Gozi ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 14:36:51 UTC
File Type:
PE (Dll)
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
15e6a048813e1fa7e06751b3cccd6125d7b8efb3ed160931213ac44eafa60807
Gozi
39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9
Gozi
5ecdc843c22bf650e78bd9b4a533adabc49d0bfb8b183e9f1023862f1600ea8e
Gozi
92819abc5959ef5dcdec4ad5ffc638e8492d0deec4569fc9cef2501adec5474a
Gozi
92f61cc6548277705585cc0c28d553093323d802a1d0d2e9fe618ebeaa6752fa
Gozi
9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166
Gozi
cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
Gozi
d538dfafbdf6ac115c24dbdd68c65dbef6460808dd2c4f3fc01d5e15bfc2f902
Gozi
edb9d542cbc5ab07fd52792e20294f82b51de49c3d32938cbd9b55b2374d2b55
Gozi
fb55aa4029e826e42520861cc82a8db4a3568f1d2b5fe6f39d7bf870ec0005f9
Gozi
+ 56 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:11/05 botnet trojan
Link:
https://tria.ge/reports/201109-x9y6t6wllx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://luckystatus.com/wp-parser.php
https://irfanhaber.net/wp-parser.php
https://lifeprimary.site/wp-parser.php
https://jewellerydesigns.co.za/wp-parser.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments