MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
SHA3-384 hash:	d4c0a65943f7320da16d93fe307d6584f32a2d38acad763a6d9fbd495087fc794b0eafa3a0a61cb9cd8c445d7cad86a5
SHA1 hash:	116f6ba99db4592f1ab5ccb1a734fdc5a52021bc
MD5 hash:	2f5a00394c3568e91f6302dc6c8b196c
humanhash:	ceiling-kentucky-beer-butter
File name:	Client.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	415'744 bytes
First seen:	2023-09-28 13:32:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c0f22af401ead6e446eb357430a7c27d (1 x Gozi)
ssdeep	12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H
Threatray	257 similar samples on MalwareBazaar
TLSH	T1C4949D02B4D08031C67236320A35E77A8ABDA5740D516EDF67ECD97BBF31AC09A2561F
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/451795/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.26166.795.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dridex greyware icedid

Link:

https://www.filescan.io/uploads/6515809083a0c6425d01bea1/reports/1b68fa71-872a-42ba-a3a7-3cd0fa523424/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5802c7c-8626-443d-a525-78bd94db0bde

Result

Threat name:

Ursnif, Strela Stealer

Detection:

malicious

Classification:

bank.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1315881

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Changes memory attributes in foreign processes to executable or writable

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Found malware configuration

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Snort IDS alert for network traffic

Suspicious powershell command line found

System process connects to network (likely due to code injection or exploit)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Yara detected Ursnif

Yara detected Strela Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

gozi

Link:

https://mwdb.cert.pl/sample/3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-09-28 13:31:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 23 (56.52%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hijbde24jpiur23pwi6ebvean3s2jcfqtplbwpancwsh3o76mt6q._file

Verdict:

malicious

Label(s):

gozi

Gozi

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

Gozi

5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587

Gozi

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

Gozi

90dcd0a0441c0bfc7b488901ec4c5cd884e7a7e983a461aa1da113f973ee8ff9

Gozi

a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d

Gozi

+ 247 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5050 banker dave isfb trojan

Link:

https://tria.ge/reports/230928-qthzjada67/

Behaviour

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Dave packer

Gozi

Malware Config

C2 Extraction:

netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com
31.41.44.79
185.248.144.203

Unpacked files

SH256 hash:

a121c2d98a7c8a815d48ae9201956f6489ff41b76af7a25c30e7cfaefa799c88

MD5 hash:

f21a13c84c2b17685ff9159eaf9d8e08

SHA1 hash:

c750d2efc96d0f41ffc776b8b257d7ff81a71a57

Link:

https://www.unpac.me/results/b925fdaa-ac53-4408-89b9-7a2ca02c6b81/

SH256 hash:

62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

MD5 hash:

f2fce2e4bcb49ba32df2a5d4bb8c6644

SHA1 hash:

c53eba835d111b487b3550ebeac4e556b7c58e75

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/b925fdaa-ac53-4408-89b9-7a2ca02c6b81/

Parent samples :

0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53
a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d
5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587
64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4
3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

SH256 hash:

4bd1f52eb03c84f3f4dce6cb60cee79c61ac4858988a9b0b22fbb5a16801110c

MD5 hash:

b56288e9cceb2933a9e8cf8e96156511

SHA1 hash:

7534a20eac85bbef03fa66038cdb50f4d1ad18ea

Link:

https://www.unpac.me/results/b925fdaa-ac53-4408-89b9-7a2ca02c6b81/

SH256 hash:

3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

MD5 hash:

2f5a00394c3568e91f6302dc6c8b196c

SHA1 hash:

116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

Link:

https://www.unpac.me/results/b925fdaa-ac53-4408-89b9-7a2ca02c6b81/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a1211935c4b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_indirect_function_call_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451795/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample