MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
SHA3-384 hash: 95f94b23471fa0795ef4e6f1cfacc2ce0e57ca26aee8025349305339202bdff76422633420fb6596a5cd7dd0b09b40da
SHA1 hash: 4c23e414457d18ceee367a19afbe0c51588c3df0
MD5 hash: 7bf3a72a5287c6388cda810822c894a3
humanhash: high-arkansas-pluto-uranus
File name:SecuriteInfo.com.Trojan.Siggen17.24708.25098.10939
Download: download sample
Signature Gozi
Create hunting rule
File size:8'078'848 bytes
First seen:2022-03-21 20:21:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 74 x LummaStealer, 62 x Rhadamanthys)
ssdeep 196608:rszWCrZ/1LjT4vlo6vqDs7eAlWCOETnNoauXM/XRDC:rsKCr4NlqD2KEhLRw
Threatray 1'468 similar samples on MalwareBazaar
TLSH T18F86332AC6D591F5E42A5BBC4AE19163D7293DD61FB861FF23B8C2312D316C86831B0D
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253829/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.24708.25098.10939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the %temp% subdirectory
Creating a file
Running batch commands
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10262/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6238de780cd58dbd92d12218/reports/71796056-2da7-4cf2-8999-99624e472659/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/199723c8-da83-4ad6-896c-1c5b7efc9bb9
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961193
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found strings related to Crypto-Mining
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Shellcode strings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593670 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 98 Sigma detected: Xmrig 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected Shellcode strings 2->102 104 6 other signatures 2->104 8 Wm?PrvSE.exe 37 2->8         started        12 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 1 5 2->12         started        14 svchost.exe 9 1 2->14         started        16 6 other processes 2->16 process3 file4 76 C:\Users\user\AppData\Local\...\wmiprov.dll, PE32+ 8->76 dropped 78 C:\Users\user\AppData\Local\...\wmipdskq.dll, PE32+ 8->78 dropped 80 C:\Users\user\AppData\Local\...\wmipdfs.dll, PE32+ 8->80 dropped 88 14 other files (12 malicious) 8->88 dropped 118 Multi AV Scanner detection for dropped file 8->118 120 Detected unpacking (changes PE section rights) 8->120 122 Query firmware table information (likely to detect VMs) 8->122 124 2 other signatures 8->124 18 HxTsr.exe 8->18         started        23 cmd.exe 1 8->23         started        25 cmd.exe 1 8->25         started        29 4 other processes 8->29 82 C:\Users\user\...\Win32WebViewHost.exe, PE32+ 12->82 dropped 84 C:\Users\user\AppData\Local\...\Wm0PrvSE.e_, PE32+ 12->84 dropped 86 C:\Users\user\AppData\...\Runt0meBroker.e_, PE32+ 12->86 dropped 27 Win32WebViewHost.exe 2 12->27         started        signatures5 process6 dnsIp7 92 monerooceans.stream 51.75.64.249, 20128, 49823 OVHFR France 18->92 94 gulf.moneroocean.stream 18->94 70 Microsoft.Windows....teDiagReport.ni.dll, PE32+ 18->70 dropped 106 Multi AV Scanner detection for dropped file 18->106 108 Query firmware table information (likely to detect VMs) 18->108 110 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->110 31 WMIC.exe 23->31         started        34 conhost.exe 23->34         started        36 WMIC.exe 1 25->36         started        38 conhost.exe 25->38         started        72 C:\Users\user\AppData\...\WmVPrvSE.exe (copy), PE32+ 27->72 dropped 74 C:\Users\user\...\RuntVmeBroker.exe (copy), PE32+ 27->74 dropped 112 Uses schtasks.exe or at.exe to add and modify task schedules 27->112 114 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 27->114 40 cmd.exe 1 27->40         started        42 cmd.exe 1 27->42         started        46 2 other processes 27->46 116 Uses ping.exe to sleep 29->116 44 WMIC.exe 29->44         started        48 6 other processes 29->48 file8 signatures9 process10 signatures11 126 DLL side loading technique detected 36->126 128 Uses ping.exe to sleep 40->128 130 Uses ping.exe to check the status of other devices and networks 40->130 50 PING.EXE 1 40->50         started        53 conhost.exe 40->53         started        55 xcopy.exe 1 40->55         started        57 xcopy.exe 6 42->57         started        60 conhost.exe 42->60         started        62 PING.EXE 1 42->62         started        64 PING.EXE 1 42->64         started        66 conhost.exe 46->66         started        68 conhost.exe 46->68         started        process12 dnsIp13 96 127.0.0.1 unknown unknown 50->96 90 C:\Users\user\AppData\Local\...\Wm?PrvSE.exe, PE32+ 57->90 dropped file14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476/
Threat name:
Win64.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 01:29:38 UTC
File Type:
PE+ (Exe)
Extracted files:
69
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
42421c08872fa9a261dfe3184f7747d224ed3deb2c0420bbb2ce8f00387fd258
Gozi
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
Gozi
5906182e34caa4c37339e8d87cb46c9b9788088450d8a4b7c2052db5dbb8d174
Gozi
5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841
Gozi
74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f
Gozi
8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa
Gozi
a1457e7a591877c3732325e462c479a450b19bda91ecaca0a37cdb137ed152ae
Gozi
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
Gozi
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
Gozi
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
Gozi
+ 1'458 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220321-y5lhssaadl/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with WMI
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
MD5 hash:
7bf3a72a5287c6388cda810822c894a3
SHA1 hash:
4c23e414457d18ceee367a19afbe0c51588c3df0
Link:
https://www.unpac.me/results/f89ba24e-b9e5-404e-bdd7-2c0c99774a72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2109463/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/253829/

Comments