MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
SHA3-384 hash: a6af4b3e71a6d3c782fc8abea6ca91600b1efc2fad2ec3b9a1bb06fedf214f28cee4793db4b3a57bda9f704f114f76cc
SHA1 hash: 444325eba25189ed60ac8cc9de9dc21af5e267a6
MD5 hash: 944d8991324c722fc1495d8f3dda1313
humanhash: wolfram-muppet-river-oscar
File name:SecuriteInfo.com.Generic.mg.944d8991324c722f.5651
Download: download sample
Signature Gozi
Create hunting rule
File size:249'344 bytes
First seen:2020-11-12 15:55:34 UTC
Last seen:2024-07-24 18:06:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1fbdd6e4ec3db908fa0d2193e0f8c722 (1 x Gozi)
ssdeep 6144:6LFbIFXFzYiSqGjNuhZRAdDdc4fC5hJL5ygg5l:6qpYiupuhZWg4aGgg/
Threatray 610 similar samples on MalwareBazaar
TLSH 0D34DFA07692C873C6C66836522EEB798C6D7A614BB490D7B2D41FDB1F352D0433728B
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.944d8991324c722f.5651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/533005
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315607 Sample: SecuriteInfo.com.Generic.mg... Startdate: 12/11/2020 Architecture: WINDOWS Score: 84 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected  Ursnif 2->39 41 Machine Learning detection for sample 2->41 6 SecuriteInfo.com.Generic.mg.944d8991324c722f.exe 2->6         started        10 iexplore.exe 1 73 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 33 192.168.2.1 unknown unknown 6->33 35 sandypaterson.com 6->35 43 Detected unpacking (changes PE section rights) 6->43 45 Detected unpacking (overwrites its own PE header) 6->45 47 Writes or reads registry keys via WMI 6->47 49 Writes registry values via WMI 6->49 16 iexplore.exe 33 10->16         started        19 iexplore.exe 29 12->19         started        21 iexplore.exe 29 14->21         started        23 iexplore.exe 29 14->23         started        signatures5 process6 dnsIp7 25 sandypaterson.com 16->25 27 sandypaterson.com 19->27 29 sandypaterson.com 21->29 31 sandypaterson.com 23->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 15:29:56 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcjorbbod6ms6ee6cwdhfsl7jt3h5k3c5vxqc627jqbxr675ujsa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
111b64c8b5e23bf8980e1f9151f87132b1250f3c48df1106d3b2f0e0808830d8
Gozi
42433b509118c66781f3fbc95e1ea506d71260171c9462a085ff515619f1ca81
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7da2276b6ec4030a429bced09fd22766db5a153cd4a67fdf43887433309d62ae
Gozi
91f63fe19927cceee0d3696c9c8066c2eba22c3da0081edc9d102ab29d42f3af
Gozi
94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
Gozi
9bd62c90f5baeee17578c1b9f1c51c6aa68da6f1044ffadcc72899ae704b0657
Gozi
bc6a7b0e544aade9fc2a48c08ad4aaebd3743396d120f86d9d81b3c8757d9888
Gozi
cb423174ba781dcc1b84ee859bdbace02125eaa345b3c902831016d9f4cf32e9
Gozi
cc20b331f9b2b1ab79cf8e3570ee00d39a22c2f6029097d3c78c4e8903a391b1
Gozi
+ 600 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201112-xk7w3tz9fx/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
MD5 hash:
944d8991324c722fc1495d8f3dda1313
SHA1 hash:
444325eba25189ed60ac8cc9de9dc21af5e267a6
Link:
https://www.unpac.me/results/df843421-986e-473c-a609-7de465ebb840/
SH256 hash:
86799bb2606b5b384013d812ad6fd90eb7d25ca07748db660aa9acc853f94fcc
MD5 hash:
89ea5dd57c5c5c3c8d22c59ec1905643
SHA1 hash:
421df28f1cfe4bfcd1788ba250f51fb51a6ee1bb
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/df843421-986e-473c-a609-7de465ebb840/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/810542/
  
Delivery method
Distributed via web download

Comments