MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
SHA3-384 hash: 1550db2ecacfddab46b198830a131755069ea1bd0b0b3cdc204cbacdee0453a7b5ce467f2a3f38400933d5ba706cd9d8
SHA1 hash: d1b2dd93026b83672118940df78a41e2ee02be80
MD5 hash: 60375d64a9a496e220b6eb1b63e899b3
humanhash: stream-alanine-alabama-stairway
File name:makeAbout.db
Download: download sample
Signature Gozi
Create hunting rule
File size:359'424 bytes
First seen:2022-08-26 08:54:25 UTC
Last seen:2022-08-26 09:41:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 6144:S5UwskH5M4JuJAGEshm9uu7tDC/vjalCX6hBydwErnZJ2hVmv3Itrfq/mENG1w2O:oUwJHGYTZhVyYtmNNEw2nSl5rrPZh5Mx
Threatray 139 similar samples on MalwareBazaar
TLSH T1EA744A2E3300E5D2D06AD4F7B941DD95227236359C81D4CAF2667FC729632F6EA92B03
TrID 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
26.3% (.EXE) Win32 Executable (generic) (4505/5/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.6% (.EXE) Generic Win/DOS Executable (2002/3)
11.6% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:dll Gozi pwd-74563

Intelligence

File Origin
# of uploads :
4
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301357/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.883.17547.8920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63088a6cd7605fd95ea36515/reports/31e82d8f-fd19-4930-9490-03af36adf0e5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c4bab50-2980-4dfb-a834-b7ffc67cbe51
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058274
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690791 Sample: makeAbout.db Startdate: 26/08/2022 Architecture: WINDOWS Score: 100 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 3 other signatures 2->115 8 loaddll32.exe 1 2->8         started        10 mshta.exe 2->10         started        12 mshta.exe 2->12         started        14 mshta.exe 2->14         started        process3 process4 16 rundll32.exe 6 8->16         started        20 regsvr32.exe 1 6 8->20         started        22 cmd.exe 1 8->22         started        30 4 other processes 8->30 24 powershell.exe 10->24         started        26 powershell.exe 12->26         started        28 powershell.exe 14->28         started        dnsIp5 79 superstarts.top 31.41.44.27, 49714, 49721, 49723 ASRELINKRU Russian Federation 16->79 97 System process connects to network (likely due to code injection or exploit) 16->97 99 Writes to foreign memory regions 16->99 101 Allocates memory in foreign processes 16->101 107 2 other signatures 16->107 32 control.exe 16->32         started        103 Writes or reads registry keys via WMI 20->103 105 Writes registry values via WMI 20->105 35 control.exe 20->35         started        38 rundll32.exe 6 22->38         started        40 csc.exe 24->40         started        43 csc.exe 24->43         started        47 2 other processes 24->47 45 csc.exe 26->45         started        49 2 other processes 26->49 51 3 other processes 28->51 signatures6 process7 dnsIp8 85 Changes memory attributes in foreign processes to executable or writable 32->85 87 Injects code into the Windows Explorer (explorer.exe) 32->87 89 Writes to foreign memory regions 32->89 95 4 other signatures 32->95 81 192.168.2.1 unknown unknown 35->81 53 rundll32.exe 35->53         started        83 superstarts.top 38->83 91 System process connects to network (likely due to code injection or exploit) 38->91 93 Writes registry values via WMI 38->93 55 control.exe 38->55         started        67 C:\Users\user\AppData\Local\...\sjocsgih.dll, PE32 40->67 dropped 57 cvtres.exe 40->57         started        69 C:\Users\user\AppData\Local\...\xkhk0l4k.dll, PE32 43->69 dropped 59 cvtres.exe 43->59         started        71 C:\Users\user\AppData\Local\...\onzweq21.dll, PE32 45->71 dropped 61 cvtres.exe 45->61         started        73 C:\Users\user\AppData\Local\...\hetizdyc.dll, PE32 49->73 dropped 63 cvtres.exe 49->63         started        75 C:\Users\user\AppData\Local\...\o0zqbxye.dll, PE32 51->75 dropped 77 C:\Users\user\AppData\Local\...\frrr1uh4.dll, PE32 51->77 dropped 65 cvtres.exe 51->65         started        file9 signatures10 process11
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 20:43:44 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzlq4mvmxgnl7ug26ywp6e5at23jj272mm5dmxjcjlx4mre7s7pa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5
Gozi
44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
Gozi
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Gozi
899718beec2df6d768081954dabec9407c79a51c807b80d69e1a4ff7cdea2629
Gozi
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
Gozi
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Gozi
9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f
Gozi
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
Gozi
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Gozi
+ 129 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220826-kvfb5saagq/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
superstarts.top
superlist.top
internetcoca.in
193.106.191.163
Unpacked files
SH256 hash:
0fa9730a58f74959b1fce364e555bdeb5b64ac43fe9d9e938083caa4531ebfd4
MD5 hash:
81c9748eeb3fbb128911cdf14b61a765
SHA1 hash:
460b5a463517bcbc688ca2cecb2646438da83cb0
Link:
https://www.unpac.me/results/cb29cd3a-4b70-4418-be98-0fe34ec527cc/
SH256 hash:
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
MD5 hash:
60375d64a9a496e220b6eb1b63e899b3
SHA1 hash:
d1b2dd93026b83672118940df78a41e2ee02be80
Link:
https://www.unpac.me/results/cb29cd3a-4b70-4418-be98-0fe34ec527cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ISFB_Crypter
Create hunting rule
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301357/

Comments