MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be
SHA3-384 hash: e839a51afc39f141a072a3cf0ab744dd214c701cf86f478c23e947203a7473bc3e2db8938eabd7fe604c1895035b612c
SHA1 hash: 6a7712d2501f2b627655523fdb3a3a4ee99d3145
MD5 hash: d9cc6cd5c7e6b8e06451c5334e3ff3fa
humanhash: social-alabama-friend-idaho
File name:Agenzia_Entrate.zip
Download: download sample
Signature Gozi
Create hunting rule
File size:515 bytes
First seen:2023-01-23 08:53:33 UTC
Last seen:2023-01-23 10:52:49 UTC
File type: zip
MIME type:application/zip
ssdeep 12:5jx8wtN2mOHmkVtJlWBp2J3gS3hlTRSzwBj2mZYj9cnr:9GwtWHLQE3V3hpUwuBcr
TLSH T121F05C146E310BA6E209D27B5DDB8039C712520E1AD6B9F7529A0177D10CDE80F6FEEE
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate Gozi isfb ITA Ursnif zip

Intelligence

File Origin
# of uploads :
4
# of downloads :
92
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Agenzia_Entrate.url
File size:193 bytes
SHA256 hash: 1733a69420c4f4c83afee2e9a4b09094e2358c33696c24cf30468991cb6da875
MD5 hash: 2f51b9260df01427360ae67ed36605c8
MIME type:text/plain
Signature Gozi
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilShortcut.DottedQuadDancingInHeavenZip.20230105.UNOFFICIAL
Create hunting rule

TwinWave.EvilShortcut.DottedQuadDancingInHeaven.20230105.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
remote
Link:
https://www.filescan.io/uploads/63ce4b2b2b351a3d0ea7db09/reports/d85557d8-c5c9-4927-8958-03c9c42a2f52/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be/
Threat name:
Script-JS.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 08:54:06 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2pu2teht24zytgqmeq2hbjo2wznd3uyucijlycujj2mfoigzc7a._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7707 banker isfb trojan
Link:
https://tria.ge/reports/230123-kw6wgsec31/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Methodology_Suspicious_Shortcut_SMB_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects remote SMB path for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

zip 6e9f4d4c879eb99c4cd06121a3852ed5b2d1ee98a09095e0544a74c2b906c8be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2515966/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2516011/
  
URLhaus
https://urlhaus.abuse.ch/url/2516019/

Comments