MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd6b6e54b7d7a09c97322ed1070957d6dc7c7279c8b9875b56e2afedf07758b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd6b6e54b7d7a09c97322ed1070957d6dc7c7279c8b9875b56e2afedf07758b
SHA3-384 hash: 555e75c2fd461a3260b87e85d900890aa07fc5c0a191ae140ff5c533714d1c4b2cab7c78e044e04ce51cf76ed9ff530e
SHA1 hash: 0ebe9805a83e26d5bc5e706d37817ec09426c2b9
MD5 hash: d1f62da8c0210e545604b0955ee61499
humanhash: mirror-yellow-pizza-cold
File name:drop.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:503'808 bytes
First seen:2022-11-30 10:16:25 UTC
Last seen:2022-11-30 14:01:35 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1e0f2a6cc9f9b5d8f758a43e6ea68307 (1 x Gozi)
ssdeep 12288:apwKj5bb0epMz1ym1v9yxp+2q5fSudIXd+roA:apwEbVqz1ryG15fXd6deoA
Threatray 587 similar samples on MalwareBazaar
TLSH T1ABB40102952296F3E034E3F5DD69622754B9C4834B5189F7F4920FF26C2EEF4C5B0A8A
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:agenziaentrate agenziariscossione dll Gozi ifsb ITA

Intelligence

File Origin
# of uploads :
4
# of downloads :
216
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340025/
Detection(s):
SecuriteInfo.com.BScope.TrojanBanker.Gozi.30193.3262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63872d9e24da1c12cfe2322a/reports/754893e9-c257-432d-a1af-6b4e1a8f8f1c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85021dbf-585a-4fa0-b72d-916166209010
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123832
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cd6b6e54b7d7a09c97322ed1070957d6dc7c7279c8b9875b56e2afedf07758b/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 10:17:06 UTC
File Type:
PE (Dll)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtllnzklpv5atsltelwra4evpvw4przhtsfzq5nvnyvp5xyhowfq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2db38485abff68002fced62495b105cf98ca3eda7bbd30249ed3cf8be23ff2e0
Gozi
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
Gozi
4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ca57c7d182c4c00ae2c86e0e2055734d6b6421a7c419b5bb9c69869b8dbec64
Gozi
8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
Gozi
+ 577 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/221130-mbcs1seb8y/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
config.edge.skype.com
optinetwork.top
onlynetwork.top
internetcoca.in
dendexmm.com
Unpacked files
SH256 hash:
60b28133c0a924972a7109e88006cf8037ebcce51826ae2abdd1d853b981da83
MD5 hash:
8edcf808b1a97c246a002f765b475eb4
SHA1 hash:
eaebd5afb7da8125770d4d9038f3b35efde7df34
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5fbafc0-641e-4b7c-aaf4-c97c4d20227d/
SH256 hash:
7493ff73dfcae6e476fb3470d9daa40b0a09cc4cc434ab9ff44133fde691cc96
MD5 hash:
e54742603611fca7dd8d3a2031efa10c
SHA1 hash:
c155199daad55003165545ef0509ab9634d39f48
Link:
https://www.unpac.me/results/c5fbafc0-641e-4b7c-aaf4-c97c4d20227d/
SH256 hash:
4cd6b6e54b7d7a09c97322ed1070957d6dc7c7279c8b9875b56e2afedf07758b
MD5 hash:
d1f62da8c0210e545604b0955ee61499
SHA1 hash:
0ebe9805a83e26d5bc5e706d37817ec09426c2b9
Link:
https://www.unpac.me/results/c5fbafc0-641e-4b7c-aaf4-c97c4d20227d/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4cd6b6e54b7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/4cd6b6e54b7d7a09c97322ed1070957d6dc7c7279c8b9875b56e2afedf07758b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340025/

Comments