MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621
SHA3-384 hash: 0390a0c85e4e8867d7cfe370f4fc2bf9170ddf99c95455005c7bb34c82f0b995b04cf78a906be0e0f61c41fddc992634
SHA1 hash: 51dba332b709a17bbe3004feab013c1344fe1468
MD5 hash: 913f000caf3a88346eb6d01d801eabd2
humanhash: golf-fifteen-juliet-delta
File name:avviso.zip
Download: download sample
Signature Gozi
Create hunting rule
File size:461 bytes
First seen:2023-01-23 09:11:32 UTC
Last seen:2023-01-23 10:52:53 UTC
File type: zip
MIME type:application/zip
ssdeep 12:5jW3HtsnHvVtJ9WBywn3gS3vyeAPaM8ktptp4/:9SsnHvob3V3w1ji/
TLSH T1D3F0F129940D0E17C61DA2720A62015EC935CDE16D49B30714CF5740020CBF35756675
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate Gozi Ursnif zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:avviso.url
File size:193 bytes
SHA256 hash: d805414808764f9a88179e1a76491d5ec30100e8671dd73f9f4d8cc1bae0b339
MD5 hash: 23301d211eee22fe26182735358c9394
MIME type:text/plain
Signature Gozi
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilShortcut.DottedQuadDancingInHeavenZip.20230105.UNOFFICIAL
Create hunting rule

TwinWave.EvilShortcut.DottedQuadDancingInHeaven.20230105.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
remote
Link:
https://www.filescan.io/uploads/63ce4f6389bd67c10fd96ff3/reports/d75f8558-2e7f-4fd5-8ebf-37c2703c0643/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621/
Threat name:
Script-JS.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 09:12:06 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkdh4g4kt5qzqlmf4e6rkk7j4cwbxnavqugyg4mu3fddnmcyyyqq._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7707 banker isfb trojan
Link:
https://tria.ge/reports/230123-lerkxaed3z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

zip 5a867e1b8a9f61982d85e13d152be9e0ac1bb415850d837194d94636b058c621

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2515964/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2516018/

Comments