MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e2a28aad8af599120e8c298c7d82e755c4945b31528a15322b0ae792a6de6c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e2a28aad8af599120e8c298c7d82e755c4945b31528a15322b0ae792a6de6c5
SHA3-384 hash: c311564a76d936d6c6ce81faff7fdf10c94e88759553d6c9030ebfcb2f62bd6398086d62732319f7795b519e25a53269
SHA1 hash: 7dff7e1c510cd0bad34e93af35b9c82f5f9748ca
MD5 hash: 1d67476fa4d60d11886399b6870263b8
humanhash: network-summer-connecticut-carolina
File name:fattura.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:244'736 bytes
First seen:2020-04-28 07:13:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d560f93a9b6b3fae5fcd9f6db90ad6af (1 x Gozi)
ssdeep 3072:4uhnzYVJ9HbBNrgXrceVla3ccigux50IeDRhmfPL+:4uhzYVJ9HF2PaMUuxMmC
Threatray 398 similar samples on MalwareBazaar
TLSH B0349D1033F1C267E2B6B5301875A7A5293BFCC2777485AF27841A1EDE316824A7772B
Reporter abuse_ch
Tags:Dreambot exe geo Gozi ITA Ursnif


Avatar
abuse_ch
Malspam distributing Gozi in Italy. Various sending IPs and subjects. For example:

HELO: bancained.eu
Sending IP: 46.8.209.87
From: Saldo fattura <fattura@donroma.com>
Subject: Il tuo ordine e stato completato
Attachment: fattura_2.xls

Gozi payload URL:
http://gstat.dondyablo.com/fattura.exe

Gozi C2:
securezza.at

Hosted on a FastFlux botnet:
;; QUESTION SECTION:
;securezza.at. IN A

;; ANSWER SECTION:
securezza.at. 150 IN A 78.128.103.143
securezza.at. 150 IN A 31.5.167.149
securezza.at. 150 IN A 95.218.136.141
securezza.at. 150 IN A 130.204.46.155
securezza.at. 150 IN A 186.177.30.150
securezza.at. 150 IN A 178.87.19.251
securezza.at. 150 IN A 181.168.208.178
securezza.at. 150 IN A 213.149.152.120
securezza.at. 150 IN A 37.34.176.37
securezza.at. 150 IN A 190.158.226.15

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'984
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Generickdz-7724446-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-04-28 07:35:24 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryvcrkwyv5mzcihiykmmpwboovoesrntcuukcuzcwcxhsktn43cq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
51710ac663a6fd3bc7f166045d4cb38b1e1796195b4aab057b4133df8db9ef8b
Gozi
6f1f13a58deb16f304bc3004e6adf5eec0c12673b4d9125c1addfab367340bfe
Gozi
7899aae710988b1ddf4fca1d1f70a5f57fcb67b8491ab935e82f2ed46eda0bfb
Gozi
8faef49d64b36052e6648a0426fb2f71af70d9b434be548841a4707fada2410a
Gozi
92531c1c46721abadcbc92de961a40f50940f1409c31d84cbc8129ce860968e3
Gozi
974217feefe1dcaef43190abf21f6b2894d67ce49c8eebd7cefc44b0dc50169f
Gozi
acfc2a0c6eaf9209bc6036bd385b70fc6971b51ea9dab0eaefb5ac99b674b658
Gozi
bd27fe96b334c81e8b62bda3121306619ca317dad8a971daf0639cb896953006
Gozi
cd4e2a8e52f9160e7d25e3a1cf0ee45a1b3c88831cb76e049622bd69170289c5
Gozi
f22c9740a5c5feb820a95a2c75ecdf6d5b6c2dc994e912203bcd8213bdac76f7
Gozi
+ 388 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xls 56c652846740fbdd2d0e534cb756fff4715baf813ef49b514624fc7708e64521

Gozi

Executable exe 8e2a28aad8af599120e8c298c7d82e755c4945b31528a15322b0ae792a6de6c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/352683/
  
X
https://twitter.com/reecdeep/status/1255020816229707779
  
X
https://twitter.com/VirITeXplorer/status/1255030663901786113
  
Dropped by
MD5 980f336fa0cfce062d02a097daa2f38f
  
Dropped by
SHA256 56c652846740fbdd2d0e534cb756fff4715baf813ef49b514624fc7708e64521
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSecurityDescriptorSacl
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegSetValueExA

Comments