MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe
SHA3-384 hash:	a5dbdbf3ee2ee44fdcc22d0578d28a5c608e506bfe32fa7c4a1d67bca32254f49b83fb5c48b60472e11ec39354c8e007
SHA1 hash:	0db17d1fcb4464120a6f3b088693f7b370fd0153
MD5 hash:	0a7efdf643e54621fe9b9e5a29c06faf
humanhash:	nineteen-west-winter-winter
File name:	server.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	239'104 bytes
First seen:	2023-03-14 08:23:11 UTC
Last seen:	2023-03-14 09:30:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ae274c29ca15928cb1e23f2e712ba155 (8 x RedLineStealer, 4 x Gozi, 3 x Smoke Loader)
ssdeep	3072:HlrxsoA0q2uvNzapNaCik4A5RIiUDzmk5lLLBqc8KrOdNcJWrJGHG/Ni:IoXqNN+pIV4RhUNnvrOI0rJSqN
Threatray	106 similar samples on MalwareBazaar
TLSH	T169348D1372D0A471E6724A31BE1BC2F4661FFCA58F5966E723986A2F1D711E1CE36302
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1094c2444a404242 (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb ITA MEF mise Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

server.exe

Verdict:

No threats detected

Analysis date:

2023-03-14 08:25:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a1f98c3b-94eb-436d-a9a4-84c01d103ab8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374195/

Detection(s):

SecuriteInfo.com.Trojan.Heur2.RP.om0@biyRqA.31722.4511.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed shell32.dll spyeye

Link:

https://www.filescan.io/uploads/64102f2256d2bc8d80b773c1/reports/105203ec-fc9e-4ca8-b989-d2a309d81924/overview

Verdict:

Malicious

Labled as:

Trojan.Heur2.RP.Generic

Link:

https://www.hybrid-analysis.com/sample/8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f117848e-7082-413c-bc51-f9073b2bbc39

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1193150

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-03-14 08:20:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rt5ni5jbmqusp55ll52acrctsovzc37c6zyhfncmvx5itqi2id7a._file

Verdict:

malicious

Label(s):

gozi

Gozi

236f2a9fcc1176a802946828029465d054626f92d258015f8abccdc52d2365e7

Gozi

7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

Gozi

7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd

Gozi

881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117

Gozi

8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350

Gozi

9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

Gozi

b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70

Gozi

fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9

Gozi

+ 96 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7713 banker isfb trojan

Link:

https://tria.ge/reports/230314-kapp3sed33/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.142.51
94.103.183.153
193.233.175.111
109.248.11.145
31.41.44.106
191.96.251.201

Unpacked files

SH256 hash:

c8cd5b4d24e95445db1808a58d15a8189315fc12505708e4e2829c8655f4d632

MD5 hash:

62c8f0eb617194d3ac20cc92d148647f

SHA1 hash:

7ddad0a257d870f5bd1c2178bc0cb1814a7dd253

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/15e2286a-43fc-4002-9da4-4c6c8713a7fb/

Parent samples :

881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe
7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd
47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
c9f213f89ae4eb4e3ef4ec3cd71d3440adfdb9aee07841da844e4c176ff53869

SH256 hash:

8ebcdb4d9102eb770d460c330134becbb7fc2a6ab3d648f1b87d6d76f766ab57

MD5 hash:

08720501f82cbc426cbee469688cc2c0

SHA1 hash:

3eb0aff1360edf79c789297db72eb100f57a8abd

Link:

https://www.unpac.me/results/15e2286a-43fc-4002-9da4-4c6c8713a7fb/

SH256 hash:

8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe

MD5 hash:

0a7efdf643e54621fe9b9e5a29c06faf

SHA1 hash:

0db17d1fcb4464120a6f3b088693f7b370fd0153

Link:

https://www.unpac.me/results/15e2286a-43fc-4002-9da4-4c6c8713a7fb/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8cfad4752164/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374195/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample