MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd
SHA3-384 hash: c7e1a222c8d542ef634c65379dd42661f8213f40c44d833c9c51d3df7c4347b77deec245acd27959967c5510a0340861
SHA1 hash: 4f605cd6e741fa10d3d3f5ab2761d4d450ce73fa
MD5 hash: bcfb15e2c5ff8328fd767ed60dc90846
humanhash: fruit-orange-green-dakota
File name:bcfb15e2c5ff8328fd767ed60dc90846.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:143'872 bytes
First seen:2021-03-20 08:34:14 UTC
Last seen:2021-03-20 11:36:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c1a3e3dc50ea59c5d4515c5b5715765 (1 x Gozi)
ssdeep 3072:w4nfPgQu+WZ0l2kdRs6eVILhI0iqcPpJlXaMkP/cnVc:wCgQuxZ0l2c+pVWhI0azlAkO
Threatray 711 similar samples on MalwareBazaar
TLSH B0E3BFC0F1A4808DF19B553588336EA47EBCAC596D22C316B3D6351DBCBB260AC59B37
Reporter abuse_ch
Tags:exe Gozi isfb RM3

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcfb15e2c5ff8328fd767ed60dc90846.exe
Verdict:
Malicious activity
Analysis date:
2021-03-20 08:35:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6dbb61a1-9598-477e-86ce-bb354b9158f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwalker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125778/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.11405.39.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Sending a UDP request
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cf7ab83-2d8d-44fa-8da4-104d2c1aa9f3
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/646825
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372382 Sample: fPc9MvHeJn.exe Startdate: 20/03/2021 Architecture: WINDOWS Score: 84 20 vtdiafox.cyou 2->20 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected  Ursnif 2->30 32 Machine Learning detection for sample 2->32 7 fPc9MvHeJn.exe 2->7         started        11 iexplore.exe 1 72 2->11         started        13 iexplore.exe 1 50 2->13         started        signatures3 process4 dnsIp5 22 vtdiafox.cyou 7->22 34 Detected unpacking (changes PE section rights) 7->34 36 Detected unpacking (overwrites its own PE header) 7->36 38 Writes or reads registry keys via WMI 7->38 40 Writes registry values via WMI 7->40 15 iexplore.exe 33 11->15         started        18 iexplore.exe 29 13->18         started        signatures6 process7 dnsIp8 24 vtdiafox.cyou 15->24 26 vtdiafox.cyou 18->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 08:35:06 UTC
AV detection:
15 of 47 (31.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgqwjnf3teulwvhrxf32ti6pbpw4qgf6t5gi7cjtat3okvq4ttoq._file
Verdict:
malicious
Similar samples:
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
Gozi
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Gozi
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
Gozi
94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
Gozi
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Gozi
adef1e98019e2b2fcac75f287caf986ab16153cd40e45b803db0c2a3dd122559
Gozi
c788a7e6d4c74e709845a01627e3cd7bb596dabbafb75aaf3929315e4b58e3e1
Gozi
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Gozi
+ 701 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210320-evxzfs39nn/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
fd2f2a8c5a861a693acdeb3f557b9574f4923f3cc800d63292df9c1003096f91
MD5 hash:
c540716902a0dce25a30c92f96547a3d
SHA1 hash:
f6907e613ccbd9ba35d78d0c01650586999e7c92
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5b65c75e-e27d-466a-bc9d-50573258757e/
SH256 hash:
91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd
MD5 hash:
bcfb15e2c5ff8328fd767ed60dc90846
SHA1 hash:
4f605cd6e741fa10d3d3f5ab2761d4d450ce73fa
Link:
https://www.unpac.me/results/5b65c75e-e27d-466a-bc9d-50573258757e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 91a164b4bb9928bb54f1b977a9a3cf0bedc818be9f4c8f893304f6e5561c9cdd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/125778/
  
URLhaus
https://urlhaus.abuse.ch/url/1078918/
  
Delivery method
Distributed via web download

Comments