MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
SHA3-384 hash: 34f016ae98b470df61124d1a15f2b9a1a41b443ba431729a2bafc650b05ce04982eb01815f23b2f22a649d242a545875
SHA1 hash: 915f37cbd47642a516fd7699b776365d56ea4946
MD5 hash: 7f604bc886d0d85c1e5fd6ac0d0fa534
humanhash: purple-tennessee-texas-don
File name:Informazion.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:215'552 bytes
First seen:2023-01-17 11:31:30 UTC
Last seen:2023-01-17 13:32:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a0b230fe92ca04dbfff9730343347dc (10 x Smoke Loader, 5 x RedLineStealer, 2 x TeamBot)
ssdeep 1536:BQukrLAoIAOnUH2AwIsuIHUebOza9YUPkHQloel56QPiIDqGKxiDfdGMIv/a090t:BXGLsQUZZ5yIGhyj6wOIMkO785+a
Threatray 3'378 similar samples on MalwareBazaar
TLSH T18B249D2236D3FCB0E55A02344E79DAE82B7EB9314E66864773541A1F2E702B0F967347
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecedec6e2cac6 (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Informazion.exe
Verdict:
No threats detected
Analysis date:
2023-01-17 11:34:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/757fe48a-d325-4e14-82c7-8fb87fb9fffa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353748/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.16543.22245.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60925/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63c68732e4e81283f94e473f/reports/96780f17-e32a-44af-816e-ecee05cedc6f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2baec83a-988c-4102-a313-c990dbff4cc1
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152992
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 11:32:06 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kryoyfh7hskt4bxyagzpcc3ycr2wpiymzeq5gw7a7ncd346kevfa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00babce061f017c51c5799689de541126e9faa21c2aedba0edcd9b6747faefe5
Gozi
6f09c2393a8210f820155b6a83f960b89b01668b8b247fbbe80f800bb7f96b78
Gozi
7154d76c80bc182ade72d0abd50f9468a70be4af668b7afa9663089f1c21c208
Gozi
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
Gozi
95995020ec49e88fea2d9e59f009c41a81cf4d2e7424182d143afa4c62b6b316
Gozi
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
Gozi
dffa733c2c9b9905cdd28c18b9034a8e60d40d48845fef4e33116d9fe75cdd9d
Gozi
e1cec2ac2bae640c5636a20b92fdcdf05da3fd87a30a20497072cccc82b9d621
Gozi
+ 3'368 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7705 banker isfb trojan
Link:
https://tria.ge/reports/230117-nnad4abb8w/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.140.150
31.41.44.179
91.107.119.172
Unpacked files
SH256 hash:
7103f7350c1c6440c7d2b0eb0508155299ee952d2f3c7fd4494ea336148b611e
MD5 hash:
31cc93e9ddac46a13a913a20636f0cca
SHA1 hash:
f745b819167c4876c293d4e67e28e68d993cdcda
Link:
https://www.unpac.me/results/04d27c68-b222-4950-8148-8706293a5c8a/
SH256 hash:
fc1b71bb16f5f21c92a4654bd8d027414741f57f3537daff55efc16b820705f6
MD5 hash:
a07bcf19802db39b4eb1d786e5d2070b
SHA1 hash:
c1c2b079334bfa6b91df0e0bbecb07c99165d343
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/04d27c68-b222-4950-8148-8706293a5c8a/
Parent samples :
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f
SH256 hash:
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
MD5 hash:
7f604bc886d0d85c1e5fd6ac0d0fa534
SHA1 hash:
915f37cbd47642a516fd7699b776365d56ea4946
Link:
https://www.unpac.me/results/04d27c68-b222-4950-8148-8706293a5c8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353748/

Comments