MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350
SHA3-384 hash:	4aff208e85de319d9362888e4b55235d9231f956f9f40d4c7dd174f02ddc8f63da3810fe4ce4acfeee2777d56811e522
SHA1 hash:	f55311179339c6a63ff8bd4fa9e778d42f53711f
MD5 hash:	c6f3e8fca98ff28eaf0ae05d55d25a43
humanhash:	bulldog-one-hydrogen-green
File name:	server.exe
Download:	download sample
Signature	Gozi Alert Create hunting rule
File size:	196'608 bytes
First seen:	2023-03-08 07:12:15 UTC
Last seen:	2023-03-08 08:33:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bd539b249d1dc5b6030dd4bb1a6c6cad (4 x RedLineStealer, 2 x Gozi, 2 x Smoke Loader)
ssdeep	3072:vb3yZLXEOZu0UYKgcN6ugTCIKmO8YUAWDE/Rp9gRFGH52c:u9XTZu0zKnNYDlO8YI4Zp9gr
Threatray	416 similar samples on MalwareBazaar
TLSH	T107148E1253ED6C25F6735A319E3EC2F5272FBD638D28667B22146A1F08B12E1C572732
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	916a6e6a6a6a6a70 (15 x RedLineStealer, 12 x Smoke Loader, 5 x Amadey)
Reporter	JAMESWT_WT
Tags:	exe Gozi isfb ITA MEF mise Ursnif

Intelligence

---

File Origin

# of uploads :

3

# of downloads :

248

Origin country :

IT

Vendor Threat Intelligence

ANY.RUN ursnif

Malware family:

ursnif

Alert

Create hunting rule

ID:

1

File name:

server.exe

Verdict:

Malicious activity

Analysis date:

2023-03-08 07:13:33 UTC

Tags:

gozi ursnif dreambot trojan

Link:

https://app.any.run/tasks/0b00c6b3-d175-46f3-ae4c-5622327bb828

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372477/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Mikey.145421.8294.19060.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6408357e7f18ce9b01807dfb/reports/d5adee16-8ff4-4594-9849-38f61aceed0c/overview

Hybrid Analysis Mikey.Generic

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e204ec64-c3a0-49e7-86ef-8263c1780edb

Joe Sandbox Ursnif

Result

Threat name:

Ursnif

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189195

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350/

ReversingLabs TitaniumCloud Win32.Trojan.Ursnif

Threat name:

Win32.Trojan.Ursnif

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-08 07:13:26 UTC

File Type:

PE (Exe)

Extracted files:

30

AV detection:

16 of 24 (66.67%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rstnjugspskq466cgs6bnmfitp4rekwfw4epuik4467uacjyonia._file

Threatray gozi

Verdict:

malicious

Label(s):

gozi

Alert

Create hunting rule

Similar samples:

05b73bccd726df4df86b10b00b2ed4d6e6ba9832e3b473dd7abe6c50c8d5bfbf

Gozi

236f2a9fcc1176a802946828029465d054626f92d258015f8abccdc52d2365e7

Gozi

3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858

Gozi

42978b12f0f6a35808049532ca02a2cbbd0181bc71d6c8525a7a4d2c4861ee4a

Gozi

7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

Gozi

9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

Gozi

cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a

Gozi

fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9

Gozi

+ 406 additional samples on MalwareBazaar

Hatching Triage gozi

Result

Malware family:

gozi

Alert

Create hunting rule

Score:

  10/10

Tags:

family:gozi botnet:7711 banker isfb trojan

Link:

https://tria.ge/reports/230308-h13nhseb3y/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.138.6
89.117.37.146
46.8.210.82
89.116.227.15
31.41.44.51

UnpacMe ISFB_Main win_isfb_auto

Unpacked files

SH256 hash:

5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f

MD5 hash:

e12d09d7f5bc156c651ad31508626593

SHA1 hash:

afdbc23b99f31640b473772dc1db24ffc9ed61a9

Detections:

ISFB_Main

Alert

Create hunting rule

win_isfb_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/e78361b5-f106-4204-b2fd-32f92f12f060/

Parent samples :

8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350
5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f
2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544
bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548

SH256 hash:

f92b7309b1f8db85c47cf85f63fc630aa38bd3c8d462f25414b958de50b85b71

MD5 hash:

b1ae3f12e513cd39695206b0ffb7e474

SHA1 hash:

8e5779b84417fb83708078274c1329d27f33ff41

Link:

https://www.unpac.me/results/e78361b5-f106-4204-b2fd-32f92f12f060/

SH256 hash:

8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350

MD5 hash:

c6f3e8fca98ff28eaf0ae05d55d25a43

SHA1 hash:

f55311179339c6a63ff8bd4fa9e778d42f53711f

Link:

https://www.unpac.me/results/e78361b5-f106-4204-b2fd-32f92f12f060/

VMRay Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8ca6d4d0d27c/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372477/