MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e
SHA3-384 hash:	75463ac1de677064594ed8a63744cba31651477aaaf45c52aaf602b24a886058fcb43b958b46a7b83995a1441625d2c0
SHA1 hash:	93fe97775373b254a96befc63af58c075d569a7f
MD5 hash:	2711069458335bcfdd79ac0b761ebe90
humanhash:	magazine-cold-glucose-mountain
File name:	server.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	324'096 bytes
First seen:	2023-03-06 12:20:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c331745203b96e8c89ba27a88886d06c (2 x Smoke Loader, 1 x Gozi)
ssdeep	3072:/AxrRdfs0LzaS4QirQo7GLij49BK5nW+HHQ3k0TfWupeU5DLK6PWUqsuB:4xrs0Lf4rQNTByqjfH5DLKcTqd
Threatray	403 similar samples on MalwareBazaar
TLSH	T13564D02275D0C0B2C48B01B59431DAE55BBEB4718B64C6C737580BBE5E333D19A7B36A
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0018dac0888c9a88 (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	exe Gozi ITA MEF mise Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

server.exe

Verdict:

Malicious activity

Analysis date:

2023-03-06 12:23:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/de5dcbb5-b4e3-431f-bfa2-7a7dd7445bd7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/371956/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit ursnif

Link:

https://www.filescan.io/uploads/6405dab093921fa04236c728/reports/b32d6f3e-d866-421d-95e0-a2944977a866/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0928e540-5c56-4bba-9e26-753c66b7a11e

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188156

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2023-03-06 12:42:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hl4wbggmwedd6fjy4jk7gkhhr6kvnyu42bldyu6su42ws5m3luha._file

Verdict:

malicious

Label(s):

gozi

cobaltstrike

Gozi

820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419

Gozi

84908c9c014c59a36369a618dfc51316646d1dbc3314da3c66100b0706567d22

Gozi

9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

Gozi

a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296

Gozi

cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a

Gozi

dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2

Gozi

df9bc10545b7066ec3bc8868a9e20379aa9a7cbb38928902520eea8fdd3ac2a7

Gozi

+ 393 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7710 banker isfb trojan

Link:

https://tria.ge/reports/230306-pjbl2abf31/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.140.103
31.41.44.63
46.8.19.239
185.77.96.40
46.8.19.116
31.41.44.48
62.173.139.11
62.173.138.251

Unpacked files

SH256 hash:

7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef

MD5 hash:

5b1a2e5c1ad156d5a1179be2af118901

SHA1 hash:

6e2d8fb9198b1b03d1edd95b1245bc0aeb1011a7

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/9e921249-9cff-401a-8898-153073c0f490/

Parent samples :

a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296
7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e
7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
957b7f7039ef6b3c84f374b6b602466cb196e50e477a37e012423b7a9d72aa7f
236f2a9fcc1176a802946828029465d054626f92d258015f8abccdc52d2365e7
ad738ad2b402c8918bdfcf0b90c9d3aad7802a62cea735d522351bca5bf8d1d7
fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9
47e870e2d1a123b74c470b0e01ed75ef196c714aeed8739f77ac6e56430dba35
a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1
fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba
19a9a43b36d2ed6516e4b1d8368cb3af64362507d2b30f4cb742fbe50780ee89
0c1d1a60a0fc143c9fc830be48c53d488b414921cf4d97d66466ff2a628d1b4d

SH256 hash:

4c62f159d20fb1fbd9423d0c45ad9020b668c7c59d01e489ad99657433b847f1

MD5 hash:

b91133cfe8cba566e105419ecfec37b3

SHA1 hash:

2231db31822e3684789b0a5355523368214139e6

Link:

https://www.unpac.me/results/9e921249-9cff-401a-8898-153073c0f490/

SH256 hash:

3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

MD5 hash:

2711069458335bcfdd79ac0b761ebe90

SHA1 hash:

93fe97775373b254a96befc63af58c075d569a7f

Link:

https://www.unpac.me/results/9e921249-9cff-401a-8898-153073c0f490/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3af96098ccb1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample