MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10
SHA3-384 hash: d70c697fb17522d43d83b0b2be238c329d6842f31e94a53d1a93adad6d731cae46a43d9d6e9b6cfcf5c2c6fa3b7cc0e6
SHA1 hash: cb2d19be57fd66a023b474469c423932f9ae2fdc
MD5 hash: 601715c5f4e239e48076a412d4ffa380
humanhash: violet-uncle-potato-early
File name:afTCDzK.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:1'377'525 bytes
First seen:2023-05-24 16:32:07 UTC
Last seen:2023-05-24 18:57:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4afbc3ea79152c3f8469f1157ab7e53a (2 x Rhadamanthys, 2 x QuasarRAT, 1 x RedLineStealer)
ssdeep 24576:2HWmAFrsRjYeObpe7MijAceLIfMTvlcuqbajlTfCq+kc5y8dVP2WyFh9jVArX:HsRnOY7VjTeqMjlchbarL8dVP2WyFh98
Threatray 554 similar samples on MalwareBazaar
TLSH T1C255127BF181C677D0B10ABC5E95C1D8746DBB242D2C680FB0E81F4E5E3A09257BD29A
TrID 25.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
23.1% (.SCR) Windows screen saver (13097/50/3)
17.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
11.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fef0e2fefcaecf60 (1 x Gozi)
Reporter Anonymous
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afTCDzK.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 16:34:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d87ffd93-cc83-41b1-b9cf-15d9e0d120e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391243/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.26074.1821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Creating a file
Launching a service
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87738/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint greyware lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/646e3c3f5ce396d09213ece3/reports/43eb9e94-9f84-42bc-b980-2d5086e49841/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cf5f158-e32c-46a6-b3eb-5c0d5ea5eafa
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241833
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874841 Sample: afTCDzK.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 3 other signatures 2->102 14 afTCDzK.exe 19 2->14         started        17 mshta.exe 19 2->17         started        process3 file4 84 C:\Users\user\AppData\Local\...ngine.exe, PE32 14->84 dropped 19 Engine.exe 503 14->19         started        22 powershell.exe 17->22         started        process5 file6 104 Contains functionality to detect sleep reduction / modifications 19->104 25 cmd.exe 1 19->25         started        78 C:\Users\user\AppData\...\3vhh3khz.cmdline, Unicode 22->78 dropped 106 Injects code into the Windows Explorer (explorer.exe) 22->106 108 Writes to foreign memory regions 22->108 110 Modifies the context of a thread in another process (thread injection) 22->110 112 2 other signatures 22->112 28 csc.exe 22->28         started        31 csc.exe 22->31         started        33 conhost.exe 22->33         started        signatures7 process8 file9 126 Obfuscated command line found 25->126 128 Uses ping.exe to sleep 25->128 130 Drops PE files with a suspicious file extension 25->130 132 Uses ping.exe to check the status of other devices and networks 25->132 35 cmd.exe 4 25->35         started        39 conhost.exe 25->39         started        80 C:\Users\user\AppData\Local\...\3vhh3khz.dll, PE32 28->80 dropped 41 cvtres.exe 28->41         started        82 C:\Users\user\AppData\Local\...\4cpl1rcb.dll, PE32 31->82 dropped 43 cvtres.exe 31->43         started        signatures10 process11 file12 76 C:\Users\user\AppData\Local\...\Brief.exe.pif, PE32 35->76 dropped 114 Obfuscated command line found 35->114 116 Uses ping.exe to sleep 35->116 45 Brief.exe.pif 35->45         started        49 powershell.exe 11 35->49         started        51 powershell.exe 11 35->51         started        53 2 other processes 35->53 signatures13 process14 dnsIp15 88 kgmVofhKhkLkZP.kgmVofhKhkLkZP 45->88 136 Writes or reads registry keys via WMI 45->136 138 Writes registry values via WMI 45->138 140 Injects a PE file into a foreign processes 45->140 55 Brief.exe.pif 1 6 45->55         started        signatures16 process17 dnsIp18 86 31.214.157.31, 49701, 80 RACKPLACEDE Germany 55->86 118 Writes to foreign memory regions 55->118 120 Allocates memory in foreign processes 55->120 122 Modifies the context of a thread in another process (thread injection) 55->122 124 Maps a DLL or memory area into another process 55->124 59 control.exe 55->59         started        signatures19 process20 signatures21 134 Creates a thread in another existing process (thread injection) 59->134 62 explorer.exe 59->62 injected process22 dnsIp23 90 94.247.42.213, 49703, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 62->90 92 107.158.128.38, 49704, 9955 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 62->92 94 79.132.128.116, 49702, 80 COMNET-ASBG Germany 62->94 142 System process connects to network (likely due to code injection or exploit) 62->142 144 Tries to steal Mail credentials (via file / registry access) 62->144 146 Changes memory attributes in foreign processes to executable or writable 62->146 148 6 other signatures 62->148 66 cmd.exe 62->66         started        68 RuntimeBroker.exe 62->68 injected 70 RuntimeBroker.exe 62->70 injected 72 2 other processes 62->72 signatures24 process25 process26 74 conhost.exe 66->74         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Suspicious
First seen:
2023-05-24 03:50:16 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrhdvv6txrbd3n4mz6tg4tcp3kielbckqaxov3j5dxvive3ltyia._file
Verdict:
malicious
Similar samples:
1f215f2d9148c8c275951c0245c9e59da552b87129343fe37364d0d281769e83
Gozi
52b32037689b59700d0b6bca6a5ceaf5ed59f5aa7b29909cdd8d2a0df04f00b5
Gozi
591407a0e2ecc003caeacb9a70ac3ae751c41f1a36588c041b4eeb0d7767f818
Gozi
5df82a2cbc00d2b5f2075a40eadd4e006569ffc96bf8eb597d7bdd366406e52b
Gozi
7d21a43745dc810948ce492bda04d7efa6c7252da2083c4d21ef7c5fead6eabd
Gozi
82b3797d5b89cdf94fb0b35af9b5504148d23b9dec19daadbedd36a9d3a89d8d
Gozi
911b862b41c49463c28e91ff8c87aa15057a094cceb98f941af2055ebb85dd39
Gozi
a84eb505e211dbee4dbf7c7f7137f6bb06adfcf62e52545a0db1d381fa19d369
Gozi
ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
Gozi
+ 544 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:444333 banker isfb trojan upx
Link:
https://tria.ge/reports/230524-t2hkhsde55/
Behaviour
Checks processor information in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Gozi
Malware Config
C2 Extraction:
http://31.214.157.31
http://chick.bing.com
http://185.212.47.59
http://chic2k.bing.com
http://79.132.128.116
http://ch3ick.bing.com
http://77.91.87.244
chidck.bing.com
http://77.91.87.248
Unpacked files
SH256 hash:
0132c185e69550ae7fa93410b2898ef4b2d43b793bd40ccc98dd4ee9111b4f5c
MD5 hash:
3f32dd4e028f3041d35652d956742db9
SHA1 hash:
a212613b5efba77395ca764e5ab586269fbac79d
Link:
https://www.unpac.me/results/ebdcec4a-6d69-4d1a-8a44-48714815cdba/
SH256 hash:
18479a0a722d7346505ac27b20a8c4ea6ac8b087010a6ed02aeb5833c9d9e7ff
MD5 hash:
8085a7221b1ca6dc5be44e029c7eb9e7
SHA1 hash:
2bffedeea6da345f53d3c27b112b0a3fbc5bb22c
Link:
https://www.unpac.me/results/ebdcec4a-6d69-4d1a-8a44-48714815cdba/
SH256 hash:
1f0e489f7c3e429cf3f9fd646b37f70a4cee92d782e9e6c3de2e4877acab05aa
MD5 hash:
6adb4a40719a11471c2b455041ae5e0e
SHA1 hash:
244138c707f5f2b30736c16071203762bffba108
Link:
https://www.unpac.me/results/ebdcec4a-6d69-4d1a-8a44-48714815cdba/
SH256 hash:
5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10
MD5 hash:
601715c5f4e239e48076a412d4ffa380
SHA1 hash:
cb2d19be57fd66a023b474469c423932f9ae2fdc
Link:
https://www.unpac.me/results/ebdcec4a-6d69-4d1a-8a44-48714815cdba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/391243/

Comments