MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
SHA3-384 hash: 682a9589251a825343b6ecdb68de8b507afe9612865a0cda4a7f2cd7c39e44c06919db6073811b72d286b631893473dd
SHA1 hash: 5c670cca85a42f37fc24d90edf571370728e8219
MD5 hash: bdc6b11784a7b4101508a37988ad2182
humanhash: mississippi-stream-east-johnny
File name:scarica.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:334'336 bytes
First seen:2023-01-23 14:49:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eeee268b6406cc3de64a027329920a2 (7 x Smoke Loader, 3 x Gozi, 2 x RedLineStealer)
ssdeep 6144:ZBReLzfL+y1ddT/q0tQK/fu1d0oumTb1:ZmnfL+2dxJtQKXu1e
Threatray 3'656 similar samples on MalwareBazaar
TLSH T14B64AD837AF4AC52D63646318D0BDAFC759DB8968E18B7372235DA2F24B0673C573218
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 281c3494948484c0 (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scarica.exe
Verdict:
No threats detected
Analysis date:
2023-01-23 14:51:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbc72cff-cf49-4dc9-9ed0-ffba872df707

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355912/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63ce9e9c89bd67c10fd97ccd/reports/8a8355e4-e652-4f8a-81de-d1dd75e7c350/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a041e2ef-0419-454c-b6f5-1ca3f74aed52
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157070
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 14:50:07 UTC
File Type:
PE (Exe)
Extracted files:
92
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6l5e73imwqjlbitknyimzw3lnunqmomjzrfcce5envfr6e2fkxq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
Gozi
6a85735e5412ab19cfcfbe329566e17ae6678dc52ddea44b74e873a6d3f82561
Gozi
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
Gozi
7796075f1ef6325830eed5369b7e5930ca514b6f32d304d51434873fcb5031e0
Gozi
8b154b06cc094eb22a4aae98f2bc60e4759f6258aa5bfb364f44b665bf65ff1e
Gozi
a0582f1620e556673fb326be7c5861dc418a91877db39699c62d56edf0066296
Gozi
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
Gozi
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
Gozi
+ 3'646 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7707 banker isfb trojan
Link:
https://tria.ge/reports/230123-r7kwqadg44/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235
Unpacked files
SH256 hash:
05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
MD5 hash:
6bddc7ac5daf41b61eb3641d804f49eb
SHA1 hash:
6499cffa7ffdd633390c99f5c41df3c96d62f34e
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/186fa06a-5deb-495a-970a-9ad1b14c1e2d/
Parent samples :
7796075f1ef6325830eed5369b7e5930ca514b6f32d304d51434873fcb5031e0
6a85735e5412ab19cfcfbe329566e17ae6678dc52ddea44b74e873a6d3f82561
8b154b06cc094eb22a4aae98f2bc60e4759f6258aa5bfb364f44b665bf65ff1e
a0582f1620e556673fb326be7c5861dc418a91877db39699c62d56edf0066296
8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95
43c74657d446c3b7867dde69f79b4839927c9cc10a421798969c433dd8dde174
05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
SH256 hash:
2d5307ceb90e53fb4aa419cad94286cf972f1f907efcf05d8e025b1cf1d423d2
MD5 hash:
7ec2a06328e521228c774ea354abf7a2
SHA1 hash:
637ae913484853bd1312bd94dc97123f45f1ab00
Link:
https://www.unpac.me/results/186fa06a-5deb-495a-970a-9ad1b14c1e2d/
SH256 hash:
8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
MD5 hash:
bdc6b11784a7b4101508a37988ad2182
SHA1 hash:
5c670cca85a42f37fc24d90edf571370728e8219
Link:
https://www.unpac.me/results/186fa06a-5deb-495a-970a-9ad1b14c1e2d/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f97d27f6865/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355912/

Comments