MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544
SHA3-384 hash:	94b409a7b2f261893a79fc1b3eb651e1311101fc4d874187c095ad0fe82438e2409860633389c2503410641838c285b6
SHA1 hash:	e4bb248848451813b7325c001910defaf262e58a
MD5 hash:	b53e7a4f7d03dc6b34760a66dc7fefdf
humanhash:	four-east-ten-diet
File name:	server.exe
Download:	download sample
Signature	Gozi Alert Create hunting rule
File size:	196'608 bytes
First seen:	2023-03-08 10:15:42 UTC
Last seen:	2023-03-08 11:27:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bd539b249d1dc5b6030dd4bb1a6c6cad (4 x RedLineStealer, 2 x Gozi, 2 x Smoke Loader)
ssdeep	3072:6F3QsFXipai+ZJY0glWqUeMV7oog/Mhej01QDnLjmH52c:bWX8ai+Za067UnVU/0hS01QDL
Threatray	415 similar samples on MalwareBazaar
TLSH	T12F148E0253ED6C21E1725A719E3DC2E4662FFD539D39666B2214EF2F09B02E1C573722
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	916a6e6a6a6a6a64 (27 x RedLineStealer, 23 x Smoke Loader, 10 x RecordBreaker)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi ITA MEF mise Ursnif

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

256

Origin country :

IT

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

server.exe

Verdict:

Malicious activity

Analysis date:

2023-03-08 10:18:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c82e3538-6445-497e-a804-3f07c1d4d5a1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372516/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Mikey.145421.22196.6458.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6408606438520b6ce9ed3c89/reports/a5171c3e-70ee-4525-a023-041727b93ac4/overview

Hybrid Analysis Mikey.Generic

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/821ab74c-4133-4b40-b0df-4cccd6b4b30e

Joe Sandbox Ursnif

Result

Threat name:

Ursnif

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189321

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544/

ReversingLabs TitaniumCloud Win32.Trojan.SmokeLoader

Threat name:

Win32.Trojan.SmokeLoader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-08 10:16:07 UTC

File Type:

PE (Exe)

Extracted files:

30

AV detection:

19 of 24 (79.17%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmy2mt35eio73cwdh3npcaneygwhh43nzv5lxf3fc75r5edvavca._file

Threatray gozi

Verdict:

malicious

Label(s):

gozi

Alert

Create hunting rule

Similar samples:

19a9a43b36d2ed6516e4b1d8368cb3af64362507d2b30f4cb742fbe50780ee89

Gozi

3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

Gozi

7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

Gozi

8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350

Gozi

a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1

Gozi

cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a

Gozi

d3f8b9ca52931ea88524319a7d1acaa2e261f4303c66baa32ea3a3f02c370cf8

Gozi

dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2

Gozi

fb355965642d20a78b7a471b60f0d6e2ec1f6ed6ec3560665244c57a506cd38d

Gozi

fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba

Gozi

+ 405 additional samples on MalwareBazaar

Hatching Triage gozi

Result

Malware family:

gozi

Alert

Create hunting rule

Score:

  10/10

Tags:

family:gozi botnet:7711 banker isfb trojan

Link:

https://tria.ge/reports/230308-mas4lsfc82/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.138.6
89.117.37.146
46.8.210.82
89.116.227.15
31.41.44.51

UnpacMe ISFB_Main win_isfb_auto

Unpacked files

SH256 hash:

5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f

MD5 hash:

e12d09d7f5bc156c651ad31508626593

SHA1 hash:

afdbc23b99f31640b473772dc1db24ffc9ed61a9

Detections:

ISFB_Main

Alert

Create hunting rule

win_isfb_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/4d906c1b-a733-42a1-b1b2-d1024f653f7d/

Parent samples :

8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350
5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f
2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544
bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548

SH256 hash:

f92b7309b1f8db85c47cf85f63fc630aa38bd3c8d462f25414b958de50b85b71

MD5 hash:

b1ae3f12e513cd39695206b0ffb7e474

SHA1 hash:

8e5779b84417fb83708078274c1329d27f33ff41

Link:

https://www.unpac.me/results/4d906c1b-a733-42a1-b1b2-d1024f653f7d/

SH256 hash:

2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544

MD5 hash:

b53e7a4f7d03dc6b34760a66dc7fefdf

SHA1 hash:

e4bb248848451813b7325c001910defaf262e58a

Link:

https://www.unpac.me/results/4d906c1b-a733-42a1-b1b2-d1024f653f7d/

VMRay Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2b31a64f7d22/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372516/