MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
SHA3-384 hash: e5a13cce6fe5300f8f9b8bf0b1b1689300aab322df0afb324d5680338c493c8349e17c06244895327faafbe9bdf1d28b
SHA1 hash: 17ac944aeeb72a3400315879559eb0cb9053306d
MD5 hash: f76fd93f2ee6355dd45116308c5c793b
humanhash: seven-seventeen-salami-dakota
File name:server.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:324'096 bytes
First seen:2023-03-06 13:53:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0309f345269cd9af3b42f8f4aa807e76 (3 x Gozi, 3 x Smoke Loader, 1 x Rhadamanthys)
ssdeep 3072:XiuITrRHXubLJpay6bipTus/Tu5fC9/vXws+bu9pJSOVIgyEFebu9nK7Kz1OW:wrUbLJJ6gRSJC1fws+bu9p5VnXtz
Threatray 223 similar samples on MalwareBazaar
TLSH T10364D0E271E1C0B2C19B04745821EBF16B7EB47157B586CB33A457BE5E302D2963B32A
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 011edac88ca4ac84 (1 x Gozi)
Reporter abuse_ch
Tags:7710 exe geo Gozi isfb ITA Ursnif


Avatar
abuse_ch
Gozi ISFB botnet: 7710

Spread via SMB:
smb://46.8.19.163/mise/server.exe

Gozi C2s:
62.173.140.103
31.41.44.63
46.8.19.239
185.77.96.40
46.8.19.116
31.41.44.48
62.173.139.11
62.173.138.251

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
server.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-06 13:55:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1bb865f3-28e6-418d-b9b6-7a89019f5273

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372014/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6405f04166e79c93ba0e3ad4/reports/57b57a7f-0943-4bda-825a-849680a0c529/overview
Verdict:
Malicious
Labled as:
Ransom.84989A88
Link:
https://www.hybrid-analysis.com/sample/7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06a9e0bf-a15f-4a85-a1a9-05c7ad91ce24
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188059
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 14:04:50 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pscuues3butbho742h5tmzgahrq3yn4h5sf5427bdixxk2jnujua._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
cobaltstrike
Create hunting rule
Similar samples:
05b73bccd726df4df86b10b00b2ed4d6e6ba9832e3b473dd7abe6c50c8d5bfbf
Gozi
0b857f695ac9881c7e664fd00dffb30381bcd51a2d5a4e8e9877c142aa5774d4
Gozi
3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e
Gozi
3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
Gozi
42978b12f0f6a35808049532ca02a2cbbd0181bc71d6c8525a7a4d2c4861ee4a
Gozi
820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419
Gozi
9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
Gozi
a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296
Gozi
cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a
Gozi
dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2
Gozi
+ 213 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7710 banker isfb trojan
Link:
https://tria.ge/reports/230306-q6ywhsca7w/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.140.103
31.41.44.63
46.8.19.239
185.77.96.40
46.8.19.116
31.41.44.48
62.173.139.11
62.173.138.251
Unpacked files
SH256 hash:
7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
MD5 hash:
5b1a2e5c1ad156d5a1179be2af118901
SHA1 hash:
6e2d8fb9198b1b03d1edd95b1245bc0aeb1011a7
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/20ec7b83-fba0-47d0-83f6-938612c09519/
Parent samples :
a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296
7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e
7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
957b7f7039ef6b3c84f374b6b602466cb196e50e477a37e012423b7a9d72aa7f
236f2a9fcc1176a802946828029465d054626f92d258015f8abccdc52d2365e7
ad738ad2b402c8918bdfcf0b90c9d3aad7802a62cea735d522351bca5bf8d1d7
fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9
47e870e2d1a123b74c470b0e01ed75ef196c714aeed8739f77ac6e56430dba35
a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1
fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba
19a9a43b36d2ed6516e4b1d8368cb3af64362507d2b30f4cb742fbe50780ee89
0c1d1a60a0fc143c9fc830be48c53d488b414921cf4d97d66466ff2a628d1b4d
SH256 hash:
4c62f159d20fb1fbd9423d0c45ad9020b668c7c59d01e489ad99657433b847f1
MD5 hash:
b91133cfe8cba566e105419ecfec37b3
SHA1 hash:
2231db31822e3684789b0a5355523368214139e6
Link:
https://www.unpac.me/results/20ec7b83-fba0-47d0-83f6-938612c09519/
SH256 hash:
7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
MD5 hash:
f76fd93f2ee6355dd45116308c5c793b
SHA1 hash:
17ac944aeeb72a3400315879559eb0cb9053306d
Link:
https://www.unpac.me/results/20ec7b83-fba0-47d0-83f6-938612c09519/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c854a125b0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

c59dc482b521b021813681f99a8570aa0f57a30bcf42d48667eb09ae635cc9a1

Gozi

Executable exe 7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2560384/
  
URLhaus
https://urlhaus.abuse.ch/url/2560155/
  
Dropped by
MD5 f7f200f9159e911f84ae40e1a0c4e745
  
Dropped by
SHA256 c59dc482b521b021813681f99a8570aa0f57a30bcf42d48667eb09ae635cc9a1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372014/

Comments