MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789
SHA3-384 hash:	b73bd8ef97cdec9d6d36f7f4ff796f19b41377ab7c0b2153be95b35f48e253f8a428fd5f69dbcd65db87c218dd5b4447
SHA1 hash:	4d13deedaf01573be3a37e007a4f9e0e3a394254
MD5 hash:	70fd784e56571d8062e1e5ff4d6c8ce3
humanhash:	lemon-mobile-alanine-ohio
File name:	entrat_unpacked.bin
Download:	download sample
Signature	Gozi Create hunting rule
File size:	41'369 bytes
First seen:	2023-01-10 15:39:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1640d668d1471f340cbe565fe63522f6 (15 x Gozi)
ssdeep	768:LKbMPv5JLLy2yV34OB9bl5n+iRjn9P1avZa9Bmr1h097mI5:L4MHLLLNyt5+0zavZangX097m
Threatray	926 similar samples on MalwareBazaar
TLSH	T12E03E0A21CB25977EFDF80B84FFAE094A37295911E19C0891733CD6ED3A8D4161B7643
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Viuleeenz
Tags:	agenziaentrate exe Gozi isfb unpacked Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

entrat_unpacked.bin

Verdict:

No threats detected

Analysis date:

2023-01-10 15:41:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0ab49e03-4c44-43c1-a87a-d2a97c946f53

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/351582/

Detection(s):

SecuriteInfo.com.Variant.Razy.853307.12927.6711.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gozi overlay packed razy ursnif

Link:

https://www.filescan.io/uploads/63bd86d4fc9525ae8a452a47/reports/0aaa6ce2-9463-4cb7-826d-156a79faa943/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0316829a-b35c-4ae5-8e65-bf983c00500b

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148911

Signature

Antivirus / Scanner detection for submitted sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789/

Threat name:

Win32.Infostealer.Gozi

Status:

Malicious

First seen:

2023-01-10 15:40:07 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4ofwf3rkfv6gg4glx6gwgbj5eqj4uf2ufm7yutn3lbdcqyle6eq._file

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7703 banker isfb trojan

Link:

https://tria.ge/reports/230110-s37qcscd2t/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.138.234
31.41.44.112
91.107.119.114

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3ba92d90-3098-4836-9ffb-42ff109f32b2

Unpacked files

SH256 hash:

90899f0cae6331ec8615641155f1b1018434d028644ff725af600b6e78c47c71

MD5 hash:

a3068aae0158ed3dd9805755394f28c1

SHA1 hash:

30d56782a1782982dddf315d0e8f4810e85acb67

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/074ed098-4f56-47c2-800c-6ddfede93112/

Parent samples :

a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4
8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789

SH256 hash:

8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789

MD5 hash:

70fd784e56571d8062e1e5ff4d6c8ce3

SHA1 hash:

4d13deedaf01573be3a37e007a4f9e0e3a394254

Link:

https://www.unpac.me/results/074ed098-4f56-47c2-800c-6ddfede93112/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8f1c5b177151/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/351582/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample