MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95
SHA3-384 hash:	282e44634b2b659f7a35287bde60adb66d3b3c7ff117a0f0b180452db6ab48d2f19fb603f101453b0182be5d2b8eff34
SHA1 hash:	f02fd937cd5e7ff228ec551b022c4eb0c47b0979
MD5 hash:	deca0a5eadd8fe2c821ec14bc1ec8ced
humanhash:	fix-three-lactose-burger
File name:	scarica
Download:	download sample
Signature	Gozi Create hunting rule
File size:	334'336 bytes
First seen:	2023-01-24 05:10:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	896bd4c3b553275a07449e8e12ceb759 (9 x Smoke Loader, 6 x RedLineStealer, 1 x RecordBreaker)
ssdeep	6144:bL3ejuGVZMAbzmv/wn5ctQK/fu1d0+RNOmTb:bDeQAmwutQKXu1Pa
Threatray	3'530 similar samples on MalwareBazaar
TLSH	T162649D426BF6AC91D632C6318D1ADAF8719DB9928E18B3371735EB2F1470673C573218
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9cdca4b0849484c0 (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

scarica

Verdict:

No threats detected

Analysis date:

2023-01-24 05:13:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39a30a3e-4fb4-4a11-b90a-e11df7ca967e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/356218/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/63cf686689bd67c10fd9a50d/reports/052010dd-5849-4550-9ddf-41cbe7a359f1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7af4b32-95d3-40fc-ae4e-a7f9d1db08c7

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1157621

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o6kzq25bi2nciiu7urtxzbrgpuxkqh3tbg7swa37igmg7hpdh2kq._file

Verdict:

malicious

Label(s):

gozi

Gozi

177064e42608adb7e31d3a0180868074ccebf83e3a9ec59cd3d2b21284ab7df3

Gozi

24fbe4f1da376a9a82f1949310921cdb809fcd21411bddcd6f58ae294a06362b

Gozi

8e153c0855b1186360ac7c870b87d3a8f14a0757c0aaafe65de913cb2ff380d3

Gozi

9c83784bf8003b31f2d642c3d8f98ba5a854c07005b7ad85956715a3c853d3ad

Gozi

ae1b89b2a873d03c49a7d15940d20c5fb0b7263cb85a58575d2571fbec6a2646

Gozi

d602eb1cf5714b4ca028fb78ba08a8e68b059495a92298773edf446163e969ed

Gozi

dc652edc15efe459d42c98714ce360992b2c7bd366bb3a09c4e3707222d56f39

Gozi

+ 3'520 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7707 banker isfb trojan

Link:

https://tria.ge/reports/230124-ft9r5sgg49/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235

Unpacked files

SH256 hash:

05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c

MD5 hash:

6bddc7ac5daf41b61eb3641d804f49eb

SHA1 hash:

6499cffa7ffdd633390c99f5c41df3c96d62f34e

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/5a833e24-36fb-46e3-a738-383bf355574d/

Parent samples :

7796075f1ef6325830eed5369b7e5930ca514b6f32d304d51434873fcb5031e0
6a85735e5412ab19cfcfbe329566e17ae6678dc52ddea44b74e873a6d3f82561
8b154b06cc094eb22a4aae98f2bc60e4759f6258aa5bfb364f44b665bf65ff1e
a0582f1620e556673fb326be7c5861dc418a91877db39699c62d56edf0066296
8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95
43c74657d446c3b7867dde69f79b4839927c9cc10a421798969c433dd8dde174
05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c

SH256 hash:

2d5307ceb90e53fb4aa419cad94286cf972f1f907efcf05d8e025b1cf1d423d2

MD5 hash:

7ec2a06328e521228c774ea354abf7a2

SHA1 hash:

637ae913484853bd1312bd94dc97123f45f1ab00

Link:

https://www.unpac.me/results/5a833e24-36fb-46e3-a738-383bf355574d/

SH256 hash:

7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95

MD5 hash:

deca0a5eadd8fe2c821ec14bc1ec8ced

SHA1 hash:

f02fd937cd5e7ff228ec551b022c4eb0c47b0979

Link:

https://www.unpac.me/results/5a833e24-36fb-46e3-a738-383bf355574d/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7795986ba146/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/356218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample