MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
SHA3-384 hash: 3e0d17ee225c8166abc636e509036cb430e04229da2aa7446148f1b67668571a1779f1d3e3eed832e188ca54d4f54f00
SHA1 hash: 9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
MD5 hash: 43cfce2e126b1bf5230e51edd205f6bd
humanhash: blue-arizona-video-skylark
File name:server.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:616'960 bytes
First seen:2023-03-14 11:24:18 UTC
Last seen:2023-03-14 12:45:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c180eab77990cded75f412955c2aa3af (1 x Gozi)
ssdeep 12288:pAP6umkdcE8lZqRpTy2TTHoKKob0xW7//PExk+eVPeYm:Ky0H8lZqRZy4IsHMpeVPq
Threatray 439 similar samples on MalwareBazaar
TLSH T12FD46C23A2F14437D17717789C7B9766583ABE102E38A88A2BE42D4C4F3D69139753E3
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi isfb ITA MEF mise Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
258
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
server.exe
Verdict:
No threats detected
Analysis date:
2023-03-14 11:27:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/019a1bb9-7102-4132-901f-d91acbb19270

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374223/
Detection(s):
SecuriteInfo.com.Variant.Ser.Tedy.3908.3068.4247.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73086/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger qbot shell32.dll zusy
Link:
https://www.filescan.io/uploads/6410598f935ba6703eab0ad7/reports/e923828b-1d1e-42b6-8a07-2f79a8a47fb1/overview
Verdict:
Malicious
Labled as:
Ser.Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/853afdf6-7ab7-43af-b2db-3c439441f722
Result
Threat name:
Ursnif, CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193237
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 11:23:57 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7jiqiz2hgtihfswpy22o6sqbyuwegg7hjf4twwkpf7hlnfqhvfq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
19a9a43b36d2ed6516e4b1d8368cb3af64362507d2b30f4cb742fbe50780ee89
Gozi
42978b12f0f6a35808049532ca02a2cbbd0181bc71d6c8525a7a4d2c4861ee4a
Gozi
4b8dbe4d5a5547c30971cda34392a943c11964e43f62325dd753620744063b8d
Gozi
8449f58ebb84db076809e6701e7195202a3f77dc2ef8a0809451b585c9194d6e
Gozi
9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
Gozi
a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1
Gozi
aa96b7f6516f3f8d7d63d61a30b3af156b92b3e8dace05c8953dcf82ac96a3c6
Gozi
c95c8b01e7a58afbae1b0c3a795108ae46b22c3867680dcdb883ca97e6f092a0
Gozi
ec87f0a2d3bfa3e685e961aaed68df89f825ac08759363c27a3a55fd03d93f6f
Gozi
fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba
Gozi
+ 429 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7713 banker isfb trojan
Link:
https://tria.ge/reports/230314-nh9xrsfb26/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.142.51
94.103.183.153
193.233.175.111
109.248.11.145
31.41.44.106
191.96.251.201
Unpacked files
SH256 hash:
c8cd5b4d24e95445db1808a58d15a8189315fc12505708e4e2829c8655f4d632
MD5 hash:
62c8f0eb617194d3ac20cc92d148647f
SHA1 hash:
7ddad0a257d870f5bd1c2178bc0cb1814a7dd253
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/abff2efd-dce8-4a2e-b964-d5646ad4c692/
Parent samples :
881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe
7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd
47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
c9f213f89ae4eb4e3ef4ec3cd71d3440adfdb9aee07841da844e4c176ff53869
SH256 hash:
8ebcdb4d9102eb770d460c330134becbb7fc2a6ab3d648f1b87d6d76f766ab57
MD5 hash:
08720501f82cbc426cbee469688cc2c0
SHA1 hash:
3eb0aff1360edf79c789297db72eb100f57a8abd
Link:
https://www.unpac.me/results/abff2efd-dce8-4a2e-b964-d5646ad4c692/
SH256 hash:
47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
MD5 hash:
43cfce2e126b1bf5230e51edd205f6bd
SHA1 hash:
9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
Link:
https://www.unpac.me/results/abff2efd-dce8-4a2e-b964-d5646ad4c692/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47d288233a39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374223/

Comments