MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7c8fbdd41335948ff0b7e67b905c242865a59c55a4809bf6a5fe4beeee83d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c7c8fbdd41335948ff0b7e67b905c242865a59c55a4809bf6a5fe4beeee83d9
SHA3-384 hash: 8b2963b6cc9a0d672048e74000c6de55fe6bb91b728220cd7260ec69098d7fe82c5b1a5d89c9a4546a342a239994cccd
SHA1 hash: be7197172cbb3640c12d4890333ebbab347e6c08
MD5 hash: b69c4c8220ae9ee5b450cc766834d5d7
humanhash: berlin-rugby-north-romeo
File name:haao11.cab
Download: download sample
Signature Gozi
Create hunting rule
File size:184'832 bytes
First seen:2020-05-28 17:04:46 UTC
Last seen:2020-05-28 18:18:13 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0db88b241a104cf2d60e7705133f5ce1 (2 x Gozi)
ssdeep 3072:ccteTH9qPc25JZymHhbeLcMpt+zdnR8PT2fnLOJvyiUoJhffGpLWJEfgNsXkWEiA:JE9qPZRyvLxEcgbiznfBWfg2kW+8sB
Threatray 869 similar samples on MalwareBazaar
TLSH 1B048D7471C1C132E42D16385C21D4E8B7BEFD008A646D9772C91F2F6E3B9D18DA8BA6
Reporter abuse_ch
Tags:dll geo Gozi USA Valak


Avatar
abuse_ch
Valak payload URL:
http://wola4ru08w9i7jjpuc.com/urvave/cennc.php?l=haao11.cab

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'855
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 17:36:18 UTC
File Type:
PE (Dll)
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1bd323c57344a8b38ac22ceec92707ba3b6a30d29b66fc32e163649ea7de8a0f
Gozi
481659d344a246a19eb516b01ea71e074e893f6ab4ba9de11c24fba15a8ec9fc
Gozi
59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b
Gozi
659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4
Gozi
73872d1c97da41772d51fec33613cc1de32b27b43ec5135d1a1c357de5fb9d77
Gozi
8421811ca6b95b3a4f3610184af94f4295a57cc7aaca20062dd42acd76186733
Gozi
8ce9c42220de87bf0dedab305d7874d286726ac18bae834c80e0d6eba8438df7
Gozi
a6c6ab892399b0496ffcd15d3af8dc8840818439367b990f60f51c95c8e56305
Gozi
be14ed801453c78d6c80992705cfe0e7eb03f808d2b28704ffa2925cdc46fdc9
Gozi
fd44086fe5fd433c14f4fc1e03f318353add50ac77dee6da3f64c4d2c5414c1c
Gozi
+ 859 additional samples on MalwareBazaar
Result
Malware family:
valak
Create hunting rule
Score:
  10/10
Tags:
family:valak Loader
Link:
https://tria.ge/reports/201109-4zxd2yxmqa/
Behaviour
Suspicious use of WriteProcessMemory
JavaScript code in executable
Valak
Valak JavaScript Loader
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

34a4a8b54fd6bdd69aa4cefbb4d8fa9f

Gozi

DLL dll 3c7c8fbdd41335948ff0b7e67b905c242865a59c55a4809bf6a5fe4beeee83d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/371331/
  
X
https://twitter.com/reecdeep/status/1266039223506939909
anyrun
any.run
https://app.any.run/tasks/1258b7c0-3dee-4c2e-981a-39d85e2e7bc4/
  
Dropped by
MD5 34a4a8b54fd6bdd69aa4cefbb4d8fa9f
  
Delivery method
Distributed via web download

Comments