MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f
SHA3-384 hash: 3b9ec1d7898921d69cb6c216e87b771885445fa38f9951cba2dcd5dcbfa87a0f0be76510bdec707d99ab98e938811012
SHA1 hash: af73ad6f099c389bfd3a271f94173e9aca84bc48
MD5 hash: 4eeb4ef9baa950b337e128ea45f2a902
humanhash: helium-pip-summer-cardinal
File name:Generale_Informazione.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:724'992 bytes
First seen:2023-01-19 10:07:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:srae78zjORCDGwfdCSog01313js5gccF8OlntFdMBgtjw3r74D7eAOqJJot5pVOz:0ahKyd2n31I5KPlntkBu7viRynTuPY
Threatray 1'384 similar samples on MalwareBazaar
TLSH T11DF46EC5AB508183E8575AB09F5787E9A75AFE90BD3030473278F31E073EED29A26711
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 838f8ebbb9373ccd (1 x Gozi)
Reporter abuse_ch
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354421/
Detection(s):
SecuriteInfo.com.Trojan.TR.Dropper.Gen.1500.11993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61397/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
83%
Tags:
advpack.dll rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63c9164786e9647bb4c9e55e/reports/a937cb4f-54ef-4159-aecd-59f5612f4e53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd6ee55c-fb3c-452f-9ea8-fe98d4a427e6
Result
Threat name:
Ursnif, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154526
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787258 Sample: Generale_Informazione.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 8 Generale_Informazione.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        process3 file4 31 C:\Users\user\AppData\...\officerpov.exe, PE32 8->31 dropped 13 officerpov.exe 15 4 8->13         started        process5 dnsIp6 39 christianbeltran.co 174.142.60.54, 443, 49697 IWEB-ASCA Canada 13->39 51 Antivirus detection for dropped file 13->51 53 Multi AV Scanner detection for dropped file 13->53 55 Found evasive API chain (may stop execution after checking system information) 13->55 57 5 other signatures 13->57 17 cmd.exe 1 13->17         started        20 officerpov.exe 6 13->20         started        23 powershell.exe 16 13->23         started        signatures7 process8 dnsIp9 41 Encrypted powershell cmdline option found 17->41 25 powershell.exe 19 17->25         started        27 conhost.exe 17->27         started        33 62.173.147.43, 49709, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 20->33 35 193.233.175.98, 49712, 80 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 20->35 37 2 other IPs or domains 20->37 29 conhost.exe 23->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f/
Threat name:
Win64.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 11:10:59 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7o4jfoyjq5taol3fy66ptnnphjsfxu56a72ac7xsl3ba2qgubxq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f
Gozi
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
Gozi
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
Gozi
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
Gozi
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
Gozi
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7706 banker isfb persistence trojan
Link:
https://tria.ge/reports/230119-l5mpmscf31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.147.43
31.41.44.157
193.233.175.98
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4703fcca-6d5a-4a76-be82-2fe89711ec3b
Unpacked files
SH256 hash:
4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f
MD5 hash:
4eeb4ef9baa950b337e128ea45f2a902
SHA1 hash:
af73ad6f099c389bfd3a271f94173e9aca84bc48
Link:
https://www.unpac.me/results/e61c309a-175d-4afb-bd31-d79fe5e587ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354421/

Comments