MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21
SHA3-384 hash: d2117ec3c36528e7de2ece70f40d067defff341cfa102a256960cfc793a9814065c34f59635561dfd16bde4b9277776d
SHA1 hash: cd2faa0ea08db2a1c9c430891c4a82304d3add57
MD5 hash: 8f3156ba5435223bb30229eb2e2c4234
humanhash: florida-moon-south-sink
File name:nazionale.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:229'724 bytes
First seen:2020-08-14 06:57:00 UTC
Last seen:2020-08-24 10:27:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 3072:lomnzVincQDKgc9BTlCDmA0TJ6LUe3PjXxdE1mWv4gg91HacEr1hheniNxbl9cih:ltZxBBFA0T3e/D2PQU4vUbASVg7lGN
Threatray 117 similar samples on MalwareBazaar
TLSH 132449A1E28058E5EC5E0774543BAC26C593BF66A9B346FE011D34FC6B73F93106A90B
Reporter JAMESWT_WT
Tags:Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45577/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/428754
Signature
Creates a COM Internet Explorer object
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 266882 Sample: nazionale.bin Startdate: 15/08/2020 Architecture: WINDOWS Score: 92 38 Found malware configuration 2->38 40 Yara detected  Ursnif 2->40 42 Machine Learning detection for sample 2->42 6 nazionale.exe 18 2->6         started        10 iexplore.exe 11 83 2->10         started        12 iexplore.exe 2 50 2->12         started        14 iexplore.exe 1 49 2->14         started        process3 file4 26 C:\Users\user\AppData\Local\...\System.dll, PE32 6->26 dropped 44 Detected unpacking (changes PE section rights) 6->44 46 Detected unpacking (overwrites its own PE header) 6->46 48 Maps a DLL or memory area into another process 6->48 50 2 other signatures 6->50 16 nazionale.exe 6->16         started        19 iexplore.exe 32 10->19         started        22 iexplore.exe 31 12->22         started        24 iexplore.exe 24 14->24         started        signatures5 process6 dnsIp7 36 Creates a COM Internet Explorer object 16->36 28 pop5.yahoo.com 19->28 30 pop5.yahoo.com 22->30 32 95.181.178.238, 80 NEOHOST-ASUA Russian Federation 24->32 34 gstat.rayzacastillo.com 109.248.11.134, 80 ASKONTELRU Russian Federation 24->34 signatures8
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 12:03:55 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzove4t725xh7qyhrsf4gyd6ruh4fngz5lyj32beywps5utlb4qq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
trickbot
Create hunting rule
Similar samples:
346b977e05b99881c7ec168c2fa0b68f84ec633d764eb52dd9795e372f45b1b4
Gozi
34fd926b213a1c5726124dff74dbf69c731f8e823168d17cc1c9448501ed314f
Gozi
363d9a5910dac53138195fa18c8e43eb99360213ff1abdd5f2a1b0b34208fea7
Gozi
3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
977956121fd42c67dd015a0b6587d173bfe118f89d26fb653459d8c0e801d224
Gozi
a1a6e3603e050afbe4bd74f714f4bfc69f9f7ff51fc7e6e890a1eab04ccf1737
Gozi
a37a3be0bddd0cb696900b5acf220c32c40e9dfe8d2e41f85a4ca5c0e6fd9307
Gozi
b3dd5fabb9c05eaab15d95ba49d626cee83c8374bf2d965532d3214fdcfbf032
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200814-a1h5d36f8j/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45577/

Comments