MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd
SHA3-384 hash:	9c1cea85f6a89397f2f8f8f4ec34cd422e32148316c5b185e0b9f0c835e074c977b24764122a6ef6a49edfd215befa6c
SHA1 hash:	ca89ca05ee36b580f713b1e17bb4694506069622
MD5 hash:	7b70469bba9d761d9b90c49c596575d6
humanhash:	alanine-table-ten-fruit
File name:	communicalink.ps1
Download:	download sample
Signature	Gozi Create hunting rule
File size:	172 bytes
First seen:	2023-10-05 21:26:28 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	3:SnfM6mqeXAwLXHPtwrWFFdAFEeIAYRmdKI5MuK6R6IBSMeFy1MFIwporFn:ef8qNWmFvGwII5MIR6I91MFIsoRn
Threatray	10 similar samples on MalwareBazaar
TLSH	T1A3C0C00E3B18BF7080B09746D91BD44EFC5618E00C0BB104229C08080E04851D7DCD43
Reporter	JAMESWT_WT
Tags:	agenziaentrate Gozi ps1 Ursnif

Intelligence

File Origin

# of uploads :

1

# of downloads :

234

Origin country :

IT

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.PowerShell.DownLoader.3.UNOFFICIAL

Gathering data

Verdict:

Malicious

Labled as:

TrojanDownloader/PS.Agent

Link:

https://www.hybrid-analysis.com/sample/63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd

Result

Verdict:

MALICIOUS

Details

Malicious Scriptlet 2 of 7

Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1320614

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to modify clipboard data

Powershell drops PE file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd/

Threat name:

Text.Dropper.PShell

Status:

Malicious

First seen:

2023-10-05 21:27:05 UTC

File Type:

Text (PowerShell)

AV detection:

3 of 23 (13.04%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mo2qnqerpu24x5jzxlj22jwyf2r63psqxi7qt5xdtib4s2p2rt6q._file

Verdict:

malicious

Similar samples:

0fa27742d3f365306d06df1fc239c603e9dfd6200f9847803e01ae1811baab72

62347adc0eb422dbe801f0e4275da3ea80c49b55eb1e5ad2db199f17d25a416b

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1

d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a

dbc4c9a65a42a60161045638bb644efe51bd482477820e8210ae184a19f9f7d7

fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

fee5e202497ecf3e0f2d829f11afe55c8c7f525cd08bf1d570a96e226bb0bdca

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/231005-1aq6xafd4w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Malware Config

Dropper Extraction:

http://communicalink.com/putty.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample