MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
SHA3-384 hash: e315ea163a294e859503e20e8e401a984d6387ba98e1c59b42548ea3cfbd198e44f09b29d2e8409ffa1dd7c2674d5d27
SHA1 hash: b52884b79ae65d24de7a6f675dd96633661961c9
MD5 hash: 3ed8befbea842fc2afd4cdfe05e5a238
humanhash: mockingbird-oven-virginia-utah
File name:Informazion.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:218'624 bytes
First seen:2023-01-17 17:36:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd7d8c902ddb79cbb51797a0feba0fec (10 x Smoke Loader, 6 x RedLineStealer, 1 x Rhadamanthys)
ssdeep 3072:8X3kNjyWSfjr5yJcF/xve01jHLejZnruuK26Z5+a:48ijZ5x1rEZSL90a
Threatray 3'391 similar samples on MalwareBazaar
TLSH T1F824AD1232D3FC71C51642324E39DAE97B7EBA344966965737142AAF2E702B0F963307
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a9acedecac2c6c6 (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
634
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Informazion.exe
Verdict:
No threats detected
Analysis date:
2023-01-17 17:36:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56bc6cc6-ca44-49eb-8006-8465ff3713ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353903/
Detection(s):
SecuriteInfo.com.MSIL-35.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Searching for the window
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63c6dc84e56ca96f6d4ffe13/reports/b1ff196f-e856-4141-b1e6-a6baa00566c3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73237354-0537-483f-9433-a86d73d2a606
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153339
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 17:36:00 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=on577beijbtujrsrddfkvwvahtcdtapmhrnwy27kkrhtgzxqq45a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
28fa399c77300c2883af5b05b1b204822080ab4efc81f0c18d2c13da91b1540d
Gozi
77629525d17aa4d9f1774497c1ed871735298bf362431374b063ec7d78937799
Gozi
8bfefb8e570740d5568198d5fefc27426ffb1589ce8203242f41e71f0c9bf7a9
Gozi
b638d8eb5e29363fad82bba676f1eeded42e0001be498ad835463cfc3a300b90
Gozi
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
Gozi
ba278645565f88fe308c506bb79793dc94239bafba5d8357dc0244c0ee1c073a
Gozi
d82d5eb34ec6fe223d783afa596e8c58f9ffbc5920fe83dc0115780909882ba3
Gozi
dce104615ded3e8c69abd1f362850e87acfc3dbe0752db1562157615f56fe34b
Gozi
f6c5bf500e4232377c631d6daa24b4492485a77627a06af69383f25762afe31f
Gozi
f9884452829d3ae85a5ccb07d762b13b65a056234a31f8b1cfe34cdc1eeec57a
Gozi
+ 3'381 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7705 banker isfb trojan
Link:
https://tria.ge/reports/230117-v6kfcagb2z/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.140.150
31.41.44.179
91.107.119.172
Unpacked files
SH256 hash:
7103f7350c1c6440c7d2b0eb0508155299ee952d2f3c7fd4494ea336148b611e
MD5 hash:
31cc93e9ddac46a13a913a20636f0cca
SHA1 hash:
f745b819167c4876c293d4e67e28e68d993cdcda
Link:
https://www.unpac.me/results/d3d4ce00-fe64-410a-bf4d-38d329baf8fe/
SH256 hash:
fc1b71bb16f5f21c92a4654bd8d027414741f57f3537daff55efc16b820705f6
MD5 hash:
a07bcf19802db39b4eb1d786e5d2070b
SHA1 hash:
c1c2b079334bfa6b91df0e0bbecb07c99165d343
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d3d4ce00-fe64-410a-bf4d-38d329baf8fe/
Parent samples :
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f
SH256 hash:
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
MD5 hash:
3ed8befbea842fc2afd4cdfe05e5a238
SHA1 hash:
b52884b79ae65d24de7a6f675dd96633661961c9
Link:
https://www.unpac.me/results/d3d4ce00-fe64-410a-bf4d-38d329baf8fe/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/737bff848848/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353903/

Comments