MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b
SHA3-384 hash: 2b069d35cd09a70b45993d704fa78d71d496cbb4027fb53a5c8d2ffc40c4edfed128d0ff69ba1cd294c707d822cfb5f4
SHA1 hash: a4abf24eda19bf997e2de103c6d0cb3675f225e0
MD5 hash: 1b6b88b4f8da87f1524d77166c9a01dd
humanhash: speaker-minnesota-four-robert
File name:Documenti url
Download: download sample
Signature Gozi
Create hunting rule
File size:194 bytes
First seen:2023-03-22 07:20:47 UTC
Last seen:2023-03-22 10:38:26 UTC
File type:
MIME type:text/plain
ssdeep 6:HRYFJb5bsZD68Szsj8UNIvyc1yc54vVG/4xHy:HRYFJ268x8UCvhy3VW4xS
TLSH T1D2C022048A0A806AC142440AE0A8BD68AD0EB0081CFBCA1C23C9E987AC804D5CE04ABA
TrID 91.6% (.URL) Windows URL shortcut (11000/1/2)
8.3% (.INI) Generic INI configuration (1000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate Gozi isfb ITA MEF mise url Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29007.BadLnk.UNOFFICIAL
Create hunting rule

TwinWave.EvilShortcut.DottedQuadDancingInHeaven.20230105.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
remote
Link:
https://www.filescan.io/uploads/641aac623b01ade53e704448/reports/b8afe1e9-5165-42c7-86e5-67553c275ff2/overview
Verdict:
Malicious
Labled as:
Trojan.Inf.Downloader
Link:
https://www.hybrid-analysis.com/sample/5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b
Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b/
Threat name:
Win32.Trojan.UrsnifLNK
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 07:21:08 UTC
File Type:
Text
AV detection:
4 of 37 (10.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3m6rmphzjgg5thaskkrjuhrsxkcakajuputhydpflypp25fhwfq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Methodology_Suspicious_Shortcut_SMB_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects remote SMB path for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b

(this sample)

Gozi

Executable exe 75827be0c600f93d0d23d4b8239f56eb8c7dc4ab6064ad0b79e6695157816988

  
Dropping
SHA256 75827be0c600f93d0d23d4b8239f56eb8c7dc4ab6064ad0b79e6695157816988
  
Dropping
MD5 4c85e34c3dddedb3ea43bc2f30d36807

Comments