MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0
SHA3-384 hash: 08191c7836371ba1d43535af803f19eb3ee462bd6dc7d421f764f7622e18306f791ec8ec5df96518545383761b537991
SHA1 hash: 29a5cba4725eae89d4d94ddfd2767cddeb93f7be
MD5 hash: ee92989c475e352b88f46663f59b30ea
humanhash: nuts-winner-eight-london
File name:sfzs5.cab
Download: download sample
Signature Gozi
Create hunting rule
File size:570'368 bytes
First seen:2020-05-26 08:44:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a440a54b8045e21df5bd1e214e6fc6bd (1 x Gozi)
ssdeep 12288:yqy/3xknRxjigBaXH44KIi0aoRq6YPJBHCtS135SqLQTqZju7ona:yq23xkRxjigBaXH44KIsoq6h8Eu1u0n
Threatray 445 similar samples on MalwareBazaar
TLSH 54C4BF1036C2D036E9BE06354815D676097EBD604E70EAEBB7D01B7F5FFA1C28621A63
Reporter abuse_ch
Tags:DEU dll geo Gozi Valak


Avatar
abuse_ch
Valak payload URL:
http://kuvk07l2dzj6wfc.com/gg88wyaftcxr7gu/wo0zz.php?l=sfzs5.cab

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'849
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Cridex
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 09:37:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
15 of 48 (31.25%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1dd6f607717de939a61667dd9db86d4d0cf7a90f884af5fac81d35982d36c53c
Gozi
27b3c804921ba560e04fcff33f185c76b08bf4473fa7f1bb699645e6da86c52e
Gozi
4e3cdd9c36bcc0dc08cd14fb0ceff7ab58f99eef274b205b5b973ad9ef038e25
Gozi
8179cb45ba2d6df0d25f9e1f382c5b9e8b9b703e4404fa19a9002c78418dedea
Gozi
b5976c55670c484ababd28736f50e297c3b1b57f1580d26f5fd1ecf60332a11c
Gozi
ba516dbe1b2e00f3d4e20a5b8b90ef9d7e0850ec82350f84aa6fe42583d5bd68
Gozi
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
Gozi
de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
Gozi
eaf0b4e39ae638cad739fcba10d65e7807cf270ed6cfd650ade939af4d489088
Gozi
ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0
Gozi
+ 435 additional samples on MalwareBazaar
Result
Malware family:
valak
Create hunting rule
Score:
  10/10
Tags:
family:valak Loader
Link:
https://tria.ge/reports/201109-h6ys3fx4r2/
Behaviour
Suspicious use of WriteProcessMemory
JavaScript code in executable
Valak
Valak JavaScript Loader
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0

(this sample)

  
X
https://twitter.com/reecdeep/status/1265187885550092288
  
URLhaus
https://urlhaus.abuse.ch/url/368746/
anyrun
any.run
https://app.any.run/tasks/7de06154-c1ba-4062-9c8e-1ee36d497b9e/
  
Delivery method
Distributed via web download

Comments