MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
SHA3-384 hash: 29f07160a7695c35bf8afe7186fc8d425d6cfbaba29ed84601ee6fe799122423d4c0607c533413d31badf7191d171fce
SHA1 hash: 27d15f36cb5e3338a19a7f6441ece58439f830f2
MD5 hash: b034e2a7cd76b757b7c62ce514b378b4
humanhash: avocado-tennis-carbon-jersey
File name:good.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:146'432 bytes
First seen:2020-10-06 05:49:03 UTC
Last seen:2025-01-23 03:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c937eaab75273f08f864d0e18635692 (1 x Gozi)
ssdeep 3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
Threatray 33 similar samples on MalwareBazaar
TLSH D7E35C47B1CA3E50C3B415FD700FBFBA9151C9266825E180EFBF1B43D5A8F0127A5AA6
Reporter JAMESWT_WT
Tags:Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68411/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Blocking the System Restore
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482305
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2019-04-04 17:55:40 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
044e1fb5fc6ecd58ea3ad131054c27c448312974086e205241768b61f165db3c
Gozi
15e8c986c4602c61a474b51d250e03d5bb178eabc8c5a82a242c1a0fa2227704
Gozi
79fc5ee64b7974a44e1e8c5cd6d64aa7a90b1103d510bb6ae0dca6aab031ef9d
Gozi
7b63849eb25736a10f00ca0abf1322f60a7a16d7f798c9f198a893cfcdba7e47
Gozi
8adad3ca7cdd5a453b186cf7bc14d47bdba384d5ad2a734a344be8af5e191139
Gozi
ba89f7dc0cf7460c81cf90fdfdb3f4a659458f6544108942f5ea44b5f962c98d
Gozi
c0e0d11a66b1a521d07699e2c57919267b8a86c8f8611768c08777a2bcd804bd
Gozi
c304a479235303c0725cf36845313692e5d9a2d9f7db7e77de3c0d75229c5e0f
Gozi
d4487b370ba2645516192a1461cb25ed3d11d02e4d0fdce3025269ca7d63aefa
Gozi
eba6afed10bd6e1475067da62d7dd7b4b2d56b0dce09edb2cfd0a0d7bc1c0047
Gozi
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence evasion trojan
Link:
https://tria.ge/reports/201006-ngcr1xq57e/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
UPX packed file
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Unpacked files
SH256 hash:
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
MD5 hash:
b034e2a7cd76b757b7c62ce514b378b4
SHA1 hash:
27d15f36cb5e3338a19a7f6441ece58439f830f2
Link:
https://www.unpac.me/results/487956db-55dd-4af1-bd01-c348d248582a/
SH256 hash:
6bf0c94435bc15cd9c930c58b66935d6d8a74194d68b70cde56aaad9f8b791e7
MD5 hash:
a3cf665c5987e6d2e48d027f4aa8b7f3
SHA1 hash:
050fc57e60830d25e3084eda3e02940b84a086a5
Link:
https://www.unpac.me/results/487956db-55dd-4af1-bd01-c348d248582a/
SH256 hash:
3ebca4d21c484f97a0b607693e36359b7ddb8eefa67ea29364629eb5b40cc7f4
MD5 hash:
444903bcc71087ba7c5c2d18d9cd5532
SHA1 hash:
3593d356202aff91465f797a42ee8a071e507f3c
Link:
https://www.unpac.me/results/487956db-55dd-4af1-bd01-c348d248582a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90d3580e187b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68411/
  
URLhaus
https://urlhaus.abuse.ch/url/171468/
  
Delivery method
Distributed via web download

Comments