MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82
SHA3-384 hash: 1648f6bf000715bf6beaf2aa9203c94cda641c66be113f15576abdec69ff3064c2a330345a82924acc034f09b4cb273d
SHA1 hash: 10c3b841313d765e380460506d5e760b2423680a
MD5 hash: ed8988f1433e30276b87384f16825116
humanhash: ink-triple-hawaii-six
File name:2217.js
Download: download sample
Signature Gozi
Create hunting rule
File size:284'787 bytes
First seen:2021-09-03 15:35:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:0kOBFat5zNdsKOVxqEuS+Vh1X62YJZ5Zzv2jTaY7Qe1buo:0kOLbqh9MB5iz1L
TLSH T1FC54AE50FA8020510ED363D79D1262E1FA7DC411935120A9F89EA39C7B536ECD3BAB7E
Reporter abuse_ch
Tags:202108021 Gozi js


Avatar
abuse_ch
Gozi payload URLs:
https://quickdrive.ae/js/JS000082510952000/dll/assistant.php
https://quickdrive.ae/js/JS000082510952000/pattern.exe

Gozi C2s:
https://hotroad.cyou/index.htm
https://monotep.xyz/index.htm

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'185
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.SNH.ScriptDropper.120.30575.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82/
Threat name:
Script-JS.Trojan.TrickBot
Create hunting rule
Status:
Suspicious
First seen:
2021-09-03 15:36:07 UTC
AV detection:
3 of 43 (6.98%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbtd2na4zgtotuz56iliqk7ou3oukgvwufxfp5ztsjudagbqtoba._file
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 botnet:202108021 banker trojan
Link:
https://tria.ge/reports/210903-s1xsdadcc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Enumerates physical storage devices
Blocklisted process makes network request
Executes dropped EXE
Gozi RM3
Malware Config
C2 Extraction:
https://hotroad.cyou
Dropper Extraction:
https://quickdrive.ae/js/JS000082510952000/dll/assistant.php
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/90663d341cc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

Java Script (JS) js 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82

(this sample)

Gozi

Executable exe 0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d

  
URLhaus
https://urlhaus.abuse.ch/host/quickdrive.ae/
  
Dropping
SHA256 0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d
  
Dropping
MD5 dc8c09dcce354cf148b724e4b5210cc4

Comments