MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
SHA3-384 hash: 1b519f245e033c4955b9019b5f9b917791266ce2d967b66a3bbc07fb19ac02d2af06fecf00aa14bdfe9d3f98c3c2f28b
SHA1 hash: ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
MD5 hash: 8ee79738c37a919fdf38dc5a621556ce
humanhash: november-arizona-johnny-snake
File name:gozi.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:167'424 bytes
First seen:2022-01-12 11:53:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:L6wsatjMVqRmJyGrYnw0Zz9EbuJL2/5ipGlXnHyJBA8lPqBohiVVHyM/:OvatSqRayG9aL+0Jrqfy2
TLSH T156F39D0237A8DF27EABA9BF55432208053B2755B2637E3488DC774DB25B6B200B52F57
Reporter 0x746f6d6669
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gozi.exe
Verdict:
Malicious activity
Analysis date:
2022-01-12 11:57:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf532287-9ec9-4890-a3fa-98e9945423e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218718/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.23506.1252.16187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Searching for the window
Creating a file
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d91faa2-b401-4144-89dd-d4918c0e8b41
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919227
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551701 Sample: gozi.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Antivirus detection for URL or domain 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 12 other signatures 2->87 9 mshta.exe 19 2->9         started        11 gozi.exe 15 3 2->11         started        process3 dnsIp4 15 powershell.exe 1 32 9->15         started        79 transfer.sh 144.76.136.153, 443, 49743 HETZNER-ASDE Germany 11->79 67 C:\Users\user\AppData\Local\...\gozi.exe.log, ASCII 11->67 dropped 18 RegAsm.exe 2 11->18         started        file5 process6 dnsIp7 113 Injects code into the Windows Explorer (explorer.exe) 15->113 115 Writes to foreign memory regions 15->115 117 Modifies the context of a thread in another process (thread injection) 15->117 119 Creates a thread in another existing process (thread injection) 15->119 21 explorer.exe 15->21 injected 25 csc.exe 15->25         started        28 csc.exe 15->28         started        30 conhost.exe 15->30         started        69 apr.intooltak.com 185.189.12.123, 49751, 49752, 49754 SUPERSERVERSDATACENTERRU Russian Federation 18->69 121 Allocates memory in foreign processes 18->121 123 Maps a DLL or memory area into another process 18->123 125 Writes or reads registry keys via WMI 18->125 127 Writes registry values via WMI 18->127 32 control.exe 18->32         started        signatures8 process9 dnsIp10 71 io.immontyr.com 21->71 95 System process connects to network (likely due to code injection or exploit) 21->95 97 Tries to steal Mail credentials (via file / registry access) 21->97 99 Changes memory attributes in foreign processes to executable or writable 21->99 109 4 other signatures 21->109 34 cmd.exe 21->34         started        37 cmd.exe 21->37         started        39 cmd.exe 21->39         started        47 4 other processes 21->47 63 C:\Users\user\AppData\Local\...\hscan34n.dll, PE32 25->63 dropped 41 cvtres.exe 25->41         started        65 C:\Users\user\AppData\Local\...\5n300s0s.dll, PE32 28->65 dropped 43 cvtres.exe 28->43         started        101 Injects code into the Windows Explorer (explorer.exe) 32->101 103 Writes to foreign memory regions 32->103 105 Allocates memory in foreign processes 32->105 45 rundll32.exe 32->45         started        file11 107 May check the online IP address of the machine 71->107 signatures12 process13 signatures14 89 Uses ping.exe to sleep 34->89 91 Uses ping.exe to check the status of other devices and networks 34->91 93 Uses nslookup.exe to query domains 34->93 49 conhost.exe 34->49         started        51 PING.EXE 34->51         started        53 nslookup.exe 37->53         started        57 conhost.exe 37->57         started        59 conhost.exe 39->59         started        61 conhost.exe 47->61         started        process15 dnsIp16 73 resolver1.opendns.com 53->73 75 myip.opendns.com 53->75 77 222.222.67.208.in-addr.arpa 53->77 111 May check the online IP address of the machine 53->111 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 08:34:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1000 banker trojan
Link:
https://tria.ge/reports/220112-n2wjgscdg3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Downloads MZ/PE file
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
apr.intooltak.com
app.querosityproject.com
Unpacked files
SH256 hash:
83407464d2eb5be1d9ca7b840b52c5c7ccfc1ae2603d7a7d757b824f4613a2a8
MD5 hash:
6d9a7c94b1338a7b91bb9dcec656a913
SHA1 hash:
15bb699ffc8a2c9879e3dc6c7a9c23eac921a109
Link:
https://www.unpac.me/results/5c327621-d157-44b1-beba-4388bbb43a82/
SH256 hash:
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
MD5 hash:
8ee79738c37a919fdf38dc5a621556ce
SHA1 hash:
ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
Link:
https://www.unpac.me/results/5c327621-d157-44b1-beba-4388bbb43a82/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51037666d198/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218718/

Comments