MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4
SHA3-384 hash:	95318929912f6efc88f7265158ac7900b5bef15fed808bb427ab5d056a7e980439e81d17b856ac3c5717735df118b2b7
SHA1 hash:	c53eba835d111b487b3550ebeac4e556b7c58e75
MD5 hash:	f2fce2e4bcb49ba32df2a5d4bb8c6644
humanhash:	pasta-summer-spaghetti-mississippi
File name:	working_gozi_payload.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	45'056 bytes
First seen:	2023-09-28 10:11:14 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	ef075d26b728b78a932306e24062e80c (7 x Gozi)
ssdeep	768:SX/rx/qCa8OmwxfhqwSJ9z7XdjP0lBdCEtDsh4eLiTL7gpP1ZXOTy:Svrx/qp8OmwxfhyVxQlBdvW4eLOL7eX7
Threatray	629 similar samples on MalwareBazaar
TLSH	T194137D41B9F508F3C3965EB0A714FBB4A7FD863122386151EF23A9C91D64953E13E24B
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	Viuleeenz
Tags:	agenziaentrate dll Gozi unpacked

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/451751/

Detection(s):

Win.Malware.Ursnif-9975502-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto greyware lolbin masquerade packed shell32 ursnif

Link:

https://www.filescan.io/uploads/6515517383a0c6425d0195a5/reports/e2a508cc-995a-44ea-9005-39b6a38dfdd6/overview

Verdict:

Malicious

Labled as:

Ursnif.1.Generic

Link:

https://www.hybrid-analysis.com/sample/62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cbe01bbd-ab26-4b21-8b17-8f883725bc52

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1315764

Signature

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2023-09-27 14:17:17 UTC

File Type:

PE (Dll)

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mk4cevorijimgg7kddbdudkgrtwq6vjk2seot6djulvu74ak7tsa._file

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5050 isfb

Link:

https://tria.ge/reports/230928-l8gykaae2v/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Malware Config

C2 Extraction:

netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com

Unpacked files

SH256 hash:

62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

MD5 hash:

f2fce2e4bcb49ba32df2a5d4bb8c6644

SHA1 hash:

c53eba835d111b487b3550ebeac4e556b7c58e75

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/a59674f4-b37b-429c-9ac6-6c944f115f7d/

Parent samples :

0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53
a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d
5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587
64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4
3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_indirect_function_call_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451751/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample