MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 18

Intelligence 18 IOCs YARA 10 File information Comments

SHA256 hash:	64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
SHA3-384 hash:	393ca68d42340b97206d98886340d3d809d22aee4ab894b44c6962b6a6b237c345fed824fdaf94dcccd17e1d46402934
SHA1 hash:	60c8766682b968d9367f9099378f2c9f0ed07278
MD5 hash:	e54d9f8d9757fe6eead98ab59bd59ffa
humanhash:	mike-missouri-blossom-fix
File name:	Client.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	185'344 bytes
First seen:	2023-09-28 06:37:24 UTC
Last seen:	2023-09-28 08:00:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0efd7316aad84342092ab59f62ee0703 (1 x Gozi)
ssdeep	3072:+gZW8+P3NtOTH8CG95Ja4tXybaVLbPkxAgaX6wwzCqIg9:+SWfPLOL85hlVfjRSIg9
Threatray	255 similar samples on MalwareBazaar
TLSH	T14B04AEDDB1F194B3D97B297115708D3A8A2DFB31CB6199EF1784D6780A331808B3789A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Malware family:

ursnif

ID:

File name:

Client.exe

Verdict:

Malicious activity

Analysis date:

2023-09-28 08:52:56 UTC

Tags:

gozi ursnif dreambot banker stealer

Link:

https://app.any.run/tasks/49faef03-b6f5-4db7-9a5c-8a6392e0c6dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/451726/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.19585.31989.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a window

Searching for the window

Creating a file in the %temp% directory

Creating a file

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Running batch commands

Setting browser functions hooks

Possible injection to a system process

Stealing user critical data

Unauthorized injection to a system process

Unauthorized injection to a browser process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/65151f4b32ffdb7a7a172387/reports/ae9cc66e-de2f-48a0-8d58-03437ee536f6/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c94fbb0-c99d-4890-ae97-216f896f4891

Result

Threat name:

Ursnif, Strela Stealer

Detection:

malicious

Classification:

bank.troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1315674

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Changes memory attributes in foreign processes to executable or writable

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Found malware configuration

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Snort IDS alert for network traffic

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Yara detected Ursnif

Yara detected Strela Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

gozi

Link:

https://mwdb.cert.pl/sample/64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-09-28 06:36:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mtxosgd6ffnpznuysian437pnsswhveiqf4eyodwlzomlehfllla._file

Verdict:

malicious

Label(s):

gozi

Gozi

5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587

Gozi

90dcd0a0441c0bfc7b488901ec4c5cd884e7a7e983a461aa1da113f973ee8ff9

Gozi

a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d

Gozi

+ 245 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5050 banker dave isfb trojan

Link:

https://tria.ge/reports/230928-hd3d8shh43/

Behaviour

Dave packer

Gozi

Malware Config

C2 Extraction:

netsecurez.com
whofoxy.com
mimemoa.com
ntcgo.com

Unpacked files

SH256 hash:

a121c2d98a7c8a815d48ae9201956f6489ff41b76af7a25c30e7cfaefa799c88

MD5 hash:

f21a13c84c2b17685ff9159eaf9d8e08

SHA1 hash:

c750d2efc96d0f41ffc776b8b257d7ff81a71a57

Link:

https://www.unpac.me/results/9fe4ce2a-dc32-4d5f-8676-ea620eefa8d6/

SH256 hash:

62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4

MD5 hash:

f2fce2e4bcb49ba32df2a5d4bb8c6644

SHA1 hash:

c53eba835d111b487b3550ebeac4e556b7c58e75

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/9fe4ce2a-dc32-4d5f-8676-ea620eefa8d6/

Parent samples :

0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53
a2d1e788f4bb4f2d5e78004374b60c39a7208dcc4e8523eca686719d32bedd4d
5633a46c25aced4b07728fd437b92c5e9102eabaa134ac584e2aae2e0adce587
64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6
26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
62b82255d14250c31bea18c23a0d468ced0f552ad488e9f869a2eb4ff00afce4
3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd
bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

SH256 hash:

4bd1f52eb03c84f3f4dce6cb60cee79c61ac4858988a9b0b22fbb5a16801110c

MD5 hash:

b56288e9cceb2933a9e8cf8e96156511

SHA1 hash:

7534a20eac85bbef03fa66038cdb50f4d1ad18ea

Link:

https://www.unpac.me/results/9fe4ce2a-dc32-4d5f-8676-ea620eefa8d6/

SH256 hash:

64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

MD5 hash:

e54d9f8d9757fe6eead98ab59bd59ffa

SHA1 hash:

60c8766682b968d9367f9099378f2c9f0ed07278

Link:

https://www.unpac.me/results/9fe4ce2a-dc32-4d5f-8676-ea620eefa8d6/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/64eee9187e29/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_indirect_function_call_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451726/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample