MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
SHA3-384 hash: ff0caf7fde738bac4143f0c1d69218e33077f81124a8ff9a4f368172b0f485b325b62dfca37ef07924256ae436e5b65d
SHA1 hash: c3c3cbad8d40c7ba332c2b6d7ae0464d092c0877
MD5 hash: d09f787a952a6e946656ac9184768fbe
humanhash: romeo-violet-blue-undress
File name:d09f787a952a6e946656ac9184768fbe.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:240'128 bytes
First seen:2023-03-14 13:54:19 UTC
Last seen:2023-03-14 15:32:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae274c29ca15928cb1e23f2e712ba155 (8 x RedLineStealer, 4 x Gozi, 3 x Smoke Loader)
ssdeep 3072:T1rxrNcNq2GawilCy9y1UKk4BauPffL1xrN2fKdGJh0RxW2NM6BoaM6:LNyqAwgCQmouPnL1xN2kQ2NMioa
Threatray 442 similar samples on MalwareBazaar
TLSH T100348E1272D0A871E7324631BE2BD3B5661EFCA18F5D6AEB23846A2F4D711E1CE71341
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9092d250cc646ad0 (1 x Gozi)
Reporter abuse_ch
Tags:250255 7713 exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d09f787a952a6e946656ac9184768fbe.exe
Verdict:
No threats detected
Analysis date:
2023-03-14 13:55:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e06f3d22-6adf-43e3-ad37-c7e2b6b6ff64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374244/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.RP.om0@b88Asr.21461.32349.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed shell32.dll spyeye
Link:
https://www.filescan.io/uploads/64107cb82477a9bb41e3a45c/reports/2cd40ca1-2484-4373-bd73-c0657795f2a5/overview
Verdict:
Malicious
Labled as:
Trojan.Heur2.RP.Generic
Link:
https://www.hybrid-analysis.com/sample/8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3de13e80-3f12-4734-972d-849eb32b6c7a
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193346
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 11:40:01 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtihdicw6vk4pe5zlsbpt37r7t3a4mckd2kytgeotam7e6tvijla._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2ee64e188677e6544342a29562d04bcab608c528f91df42e09a6fb5c8a63b8ce
Gozi
7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd
Gozi
881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
Gozi
8858454db0f0b8ceba934276cbe76f5bdae1814cffe3db3d7d95463f72bb9155
Gozi
8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe
Gozi
b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70
Gozi
bfa7f935ce2d538f08ef9b71990ff857c855ae47f402010207533a85831b0d69
Gozi
c5b524dbacb95cc217ebc06f8a825b45f59c5a92910ff89b530b3909fcfb8442
Gozi
d658d0bb771c4bfd0bb54afa84ecf8162650c6581488639b6ffd0dfa05912b0d
Gozi
fcc6db5850927866d4cbe47d291c406551fdcacd462234b31800e3377f30734f
Gozi
+ 432 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7713 banker isfb trojan
Link:
https://tria.ge/reports/230314-q75epahf4y/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.142.51
94.103.183.153
193.233.175.111
109.248.11.145
31.41.44.106
191.96.251.201
Unpacked files
SH256 hash:
c8cd5b4d24e95445db1808a58d15a8189315fc12505708e4e2829c8655f4d632
MD5 hash:
62c8f0eb617194d3ac20cc92d148647f
SHA1 hash:
7ddad0a257d870f5bd1c2178bc0cb1814a7dd253
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e6960f8a-4e1b-45df-84a4-54936fc3092a/
Parent samples :
881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe
7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd
47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
c9f213f89ae4eb4e3ef4ec3cd71d3440adfdb9aee07841da844e4c176ff53869
SH256 hash:
8ebcdb4d9102eb770d460c330134becbb7fc2a6ab3d648f1b87d6d76f766ab57
MD5 hash:
08720501f82cbc426cbee469688cc2c0
SHA1 hash:
3eb0aff1360edf79c789297db72eb100f57a8abd
Link:
https://www.unpac.me/results/e6960f8a-4e1b-45df-84a4-54936fc3092a/
SH256 hash:
8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
MD5 hash:
d09f787a952a6e946656ac9184768fbe
SHA1 hash:
c3c3cbad8d40c7ba332c2b6d7ae0464d092c0877
Link:
https://www.unpac.me/results/e6960f8a-4e1b-45df-84a4-54936fc3092a/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8cd071a056f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374244/

Comments