MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4
SHA3-384 hash: 6d5d9759bb80eeb86414304ae9c842372347721ac9268ee7c494b0f1ca8f1b91246f7facd3f909ce3d8b2143d4692c97
SHA1 hash: 564f7bf3ad052cf2358c563bbae89a7f89655cff
MD5 hash: 756940f4a31504a3a6f2bc9adc533c8d
humanhash: six-arizona-vegan-oven
File name:756940f4a31504a3a6f2bc9adc533c8d.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:285'696 bytes
First seen:2023-01-10 13:43:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b04dfc879ce241e69c87859b0f23b3d7 (5 x Smoke Loader, 3 x RedLineStealer, 3 x CoinMiner)
ssdeep 6144:CDZxLP6MMLNkPPdt6kfqXGVEGhnEmQLr:CDDGMMZkPVtXFBE7
Threatray 858 similar samples on MalwareBazaar
TLSH T1F754AEA37E91D573C40605304915FAF82E7EBC7EAE649A433318FEAF6E702D09652217
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a9acececee6cae6 (2 x Smoke Loader, 2 x RedLineStealer, 1 x Gozi)
Reporter abuse_ch
Tags:exe geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
756940f4a31504a3a6f2bc9adc533c8d.exe
Verdict:
No threats detected
Analysis date:
2023-01-10 13:46:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e8223ca-abe2-4280-981b-2df5c2b5c398

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351549/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.16369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63bd6ba483a5ae8cb4a85340/reports/72079713-cb61-42e7-b5df-3e1f53e90634/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79cf8e60-d985-4622-a126-f6594d7600f5
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148797
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 13:44:08 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcn5pwowcxgcu3gvswj3o4acol7zg7muivzeihbtmwpfxfwht72a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0bb6252f63c48ac085396dcbbac497f62ef59215f587ea298bff5ab8b6a367c5
Gozi
2fc9b66b443aec556da472e03f13aa3d3be5d7ac2e0863895476cf930cce285f
Gozi
3a7b101841bf22ff79f1a5b4f54de3bcc2d54fd172bf552ba3c9f560661ff37e
Gozi
a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
Gozi
a7114af4127ee340e63f40e2a1726c3bd7af85b17bdf33d199b8ea7f3b35d07b
Gozi
a7a86feba39d56914b320770c63b2d59a2187d797fd7c46f0962a174dc1551f6
Gozi
addf8da7d1592ec574ccfe399695cf58b6059ccd7091c943305a15559c64ebe4
Gozi
c120a9b0f22236ec372ce1745b087a08ae494d138b2cb864bef7c660aee7afb9
Gozi
c6380e565710ea58f3b63837e2aa2fe6a368fe5d1d9675f4079d812d1896713a
Gozi
fceb8d758785f33f7184166b83d4d5129ee8907b5525be11afe4e614b71c56de
Gozi
+ 848 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7703 banker isfb trojan
Link:
https://tria.ge/reports/230110-q1axhagc24/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.138.234
31.41.44.112
91.107.119.114
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb8d984f-c654-4b9b-9383-664d8a1efaed
Unpacked files
SH256 hash:
90899f0cae6331ec8615641155f1b1018434d028644ff725af600b6e78c47c71
MD5 hash:
a3068aae0158ed3dd9805755394f28c1
SHA1 hash:
30d56782a1782982dddf315d0e8f4810e85acb67
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d41bb29e-bb63-4b5b-be5b-61300cf3c113/
Parent samples :
a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4
8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789
SH256 hash:
a5ba2a6f406b1805da8faa11bb725217512871280754a24e89b4c703036474a0
MD5 hash:
0d72a6d28a48621d96bfceb6baec42e5
SHA1 hash:
22b739a94f48d2ff26b6432245945a2fb984b8da
Link:
https://www.unpac.me/results/d41bb29e-bb63-4b5b-be5b-61300cf3c113/
SH256 hash:
789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4
MD5 hash:
756940f4a31504a3a6f2bc9adc533c8d
SHA1 hash:
564f7bf3ad052cf2358c563bbae89a7f89655cff
Link:
https://www.unpac.me/results/d41bb29e-bb63-4b5b-be5b-61300cf3c113/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/789bd7d9d615/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351549/

Comments