MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd5a5a663b3a2818136ba7f1b3c431c50de70e70416b9bcdce3fee23ee3353e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd5a5a663b3a2818136ba7f1b3c431c50de70e70416b9bcdce3fee23ee3353e
SHA3-384 hash: e3efe54ee778f668b653e5a1c891b9c23869567f48609774d10372b9e6cf1d1d1827e0b21978f3a60a5a77accfd1b98a
SHA1 hash: 5820c7e13bc3eaa8b54ee7ccd00d9bf8d7268e91
MD5 hash: 8a284bd4b467f47a0c7f32e9d5bb99ea
humanhash: autumn-artist-autumn-william
File name:d2cf37694cdb309cce804473c01072b8d1c3c1e9b82b41e432083f0d49299d2d.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:153'089 bytes
First seen:2020-06-02 06:21:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54aaf8dc643114b5c601c5f8d229f3b9 (2 x Gozi)
ssdeep 3072:tzaE7ZKrQMh/x8orIrUCic0PglqlsvARnj1N2fl55D8ejI1AbWxS/Cau2lPX3LMB:ZaE4rQqlrIQL8Eh2floesObWxS/TzMB
Threatray 336 similar samples on MalwareBazaar
TLSH 60E38C50AE91543DF4D316386438D922C41B7E3AAA38B08E37F51D366FB2283C525BF9
Reporter TrappmanRhett
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 14:44:01 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 27 (81.48%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
19b3c091f3805bd947578183b5f4f77b0cc8bc542527e69cd14f7e1e6337351d
Gozi
3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18
Gozi
51710ac663a6fd3bc7f166045d4cb38b1e1796195b4aab057b4133df8db9ef8b
Gozi
7aa84b4ce4fbf937632d3008981c3ef8ff63e1ff846fdbb55060f3973d2507a9
Gozi
c85d0da5fe543408376ed6c916d5e498aadc0b5f75be0ddc59a4efe3da5fff07
Gozi
ceafed22728ab72aa4a74dc2fc96d54b85ec0432ef0c97a4497075cc802109d3
Gozi
dc0df8f5ee0e898e069643a84cbc8154d6191f081665e245f1a9e2085028062f
Gozi
e9a315800b66a07aad3d74af0809436ee372c5476ec73dca1c588580826aff29
Gozi
eec9887fb0a1a6157c82c1319dd32e9750d616a4dc31cdbb29b2ff75028fcf04
Gozi
eeeb8aa8df15fa4ff30e3335ed92431f7ec9006705f4c15a0ee51f4cb56066ed
Gozi
+ 326 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:ursnif botnet:3475 banker trojan
Link:
https://tria.ge/reports/201109-mw7eke7pes/
Behaviour
Ursnif, Dreambot
Malware Config
C2 Extraction:
google.com
gmail.com
q982yeq23.xyz
t7763jykqeiy.com
hjruu.com
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments