MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
SHA3-384 hash:	656b56e826a73b3b9934e1cc39eef7b7c9951191a0f919b30bf5663a8a47e98b291aa1238c9810959c6eacfa72e188df
SHA1 hash:	8e99676816e094685a7caa78cf1140ab618ae6d4
MD5 hash:	3ad89ea0f4281025bf43aed8d60a6ae6
humanhash:	purple-enemy-kentucky-black
File name:	72.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	37'888 bytes
First seen:	2022-09-28 12:18:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1640d668d1471f340cbe565fe63522f6 (15 x Gozi)
ssdeep	768:sQLm41fM01vANyR60Qm7O7ZescPfIWPah1q6JyLKv57IXCwqkrUl5RkhILl:sL41fMSvQA6ZesIePILe4CwZrm5iC
Threatray	1'139 similar samples on MalwareBazaar
TLSH	T17603F108FE430E62E19F1B755F5D1B04E6B0BB940728A8E89BB3C89DC5D2D9B9EF4405
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314341/

Detection(s):

SecuriteInfo.com.Variant.Zusy.387325.22216.22980.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39731/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63343bb8d089a0c15dd2915b/reports/8aa0db69-566d-4004-b803-330c17ed942b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/79e6a990-3002-475b-9e7a-5496041ab52f

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1079196

Signature

Antivirus / Scanner detection for submitted sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8/

Threat name:

Win32.Infostealer.Gozi

Status:

Malicious

First seen:

2022-09-26 18:30:36 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojieyb7gcbnxauafdhz3z5yy2mitmjcwbrkzj2d4bcso7qxcugua._file

Verdict:

malicious

Label(s):

gozi

Gozi

34437641a6b16fcbc6a726c0eabcebf0e9abccb3a878aee2d0a7797c0dd4eae9

Gozi

7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

Gozi

8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871

Gozi

9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f

Gozi

a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a

Gozi

c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9

Gozi

e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869

Gozi

ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11

Gozi

+ 1'129 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:40000 banker trojan

Link:

https://tria.ge/reports/220928-pg6pdsfgg2/

Behaviour

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

trackingg-protectioon.cdn1.mozilla.net
45.8.158.104
188.127.224.114
weiqeqwns.com
wdeiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a1592aad-343a-4655-a7e5-299ec9191cb0

Unpacked files

SH256 hash:

5ea2b9d4c4b4f5f102d63de28ad8ce4016a01469cd2c2ab92be57e5af6839f87

MD5 hash:

2a29f12a43156619c6a97cb54844b053

SHA1 hash:

d7deab6e3c5e158b73c9ffb1455cb57f04423786

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/fcef93cf-26a8-4a57-a5a9-14e546495270/

SH256 hash:

72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8

MD5 hash:

3ad89ea0f4281025bf43aed8d60a6ae6

SHA1 hash:

8e99676816e094685a7caa78cf1140ab618ae6d4

Link:

https://www.unpac.me/results/fcef93cf-26a8-4a57-a5a9-14e546495270/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/72504c07e610/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314341/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample