MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e8b84c841ade24a5d37953d56881e5a4e6bfa3eb133621dc835f92e51b6df79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8e8b84c841ade24a5d37953d56881e5a4e6bfa3eb133621dc835f92e51b6df79
SHA3-384 hash:	fdf4dc71d30a8d3adf326993e91416d6befd86881ffa49def2cb2b11b1d634a2346a3dc44b5250a2f5a41e8a500140e5
SHA1 hash:	176093a11ea186c1b0e391f0700d970be762b4c8
MD5 hash:	3f510cf43ade5a578509f6131b958978
humanhash:	august-hamper-burger-johnny
File name:	0b0772d27a47c79be0d9c2e82d057ff7
Download:	download sample
Signature	Gozi Create hunting rule
File size:	232'168 bytes
First seen:	2020-11-17 12:28:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa634aefeafb4b29cdeb172fe1f2671 (11 x Gozi)
ssdeep	6144:8hsXmXuM+2WusiU3RkQAzoJ3W03iJFftt:85eM+2W53KzB03CV
Threatray	7 similar samples on MalwareBazaar
TLSH	58346C203981C032E8760530A4FCBB66952A7FB50B7194DBB7B4BE5CBE292D24574F27
Reporter	seifreed
Tags:	Gozi

Intelligence

File Origin

# of uploads :

1

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending an HTTP GET request

Sending an HTTP POST request

Creating a process from a recently created file

Creating a file

Moving a recently created file

Moving a file to the Windows subdirectory

Sending a custom TCP request

Deleting a recently created file

Replacing files

Launching a service

Sending a UDP request

Creating a file in the Windows subdirectories

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e8b84c841ade24a5d37953d56881e5a4e6bfa3eb133621dc835f92e51b6df79/

Threat name:

Win32.Trojan.Babar

Status:

Malicious

First seen:

2020-11-17 12:31:58 UTC

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r2fyjscbvxreuxjxsu6vnca6ljhgx6r6wezwehoigx4s4unw354q._file

Verdict:

unknown

Similar samples:

4547f1174d1400e41a8072651b4a71c3b8a672f491163e9f09175c7838153200

55897dc537d308842906dbf8bffde6eb846cdd6b5e9584d7efcbe7c342d5e699

7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478

7d3beeb2ab6a13038bce7d962a19a4d004a4526934823e23b8f1c5f68ed1800e

9a5e050fb6470a1a5fabf963ce60a23237a0ef553c18875770cd4ada41c5b259

c6a810bf84ea3fd17a282d2a10bec7811c79ff751d5dbcf9eb84cff95f1fd5ba

ca3cc0fc804c69584801fc33a39effafb6b2a747f4ef0958348cc13eaa2c5e3f

Result

Malware family:

n/a

Score:

10/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/201117-qzr7zztc6n/

Behaviour

Checks processor information in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Checks for any installed AV software in registry

JavaScript code in executable

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

8e8b84c841ade24a5d37953d56881e5a4e6bfa3eb133621dc835f92e51b6df79

MD5 hash:

3f510cf43ade5a578509f6131b958978

SHA1 hash:

176093a11ea186c1b0e391f0700d970be762b4c8

Link:

https://www.unpac.me/results/281f2720-af5f-4b61-a5a7-49179a3d6890/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample