MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4
SHA3-384 hash: 2712acf1d125df97a5c502885571070079ae00c0a4d9a3b20fc35bc3a11b970afc7effbf402ae9bbd633e1c08bd5333e
SHA1 hash: f4523061afa1b2e538b869a93a6f39e712685e66
MD5 hash: 00bfe3c9df49cc312e8f831c2fb122b4
humanhash: orange-twelve-social-utah
File name:SecuriteInfo.com.Generic.mg.00bfe3c9df49cc31.5768
Download: download sample
Signature Gozi
Create hunting rule
File size:227'328 bytes
First seen:2020-04-22 12:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f357d486372db4414f89d30e61049f2b (1 x Gozi)
ssdeep 3072:AYx88k9f6MzV962PR6GDLm4A4UN4okqm4L+jlj6BdIxWG:fxAMMbFPR6GDLmPX4oU2+jluBewG
Threatray 78 similar samples on MalwareBazaar
TLSH FD247D3176F2C432F2B7593055B173B64A377C625B3091CB17942A6A2E363E18A77B23
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/348056/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeMountPointA
KERNEL32.dll::FindNextVolumeA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetConsoleScreenBufferSize
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryA
ADVAPI32.dll::BackupEventLogA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::QueryServiceLockStatusW

Comments