MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
SHA3-384 hash: e646b4c6eb9d2d3faef759307e234fb8b1dd098adacb37d9005ce45a8a567529ba77a7bff0675a5619474505f77a1279
SHA1 hash: aff82f0554f18c780561d6b8b1ca5a1001e42512
MD5 hash: 4ed3fa33609a51baf209a5954bef6633
humanhash: neptune-hydrogen-august-carolina
File name:4ed3fa33609a51baf209a5954bef6633.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:1'241'656 bytes
First seen:2022-05-19 11:08:58 UTC
Last seen:2022-05-20 06:55:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06a834e3824803366fcfecb5c9777295 (3 x RedLineStealer, 3 x ArkeiStealer, 1 x Gozi)
ssdeep 24576:21uu0F2xRqVHdQ9PerE5gOGFGtCZXUzvjJMFHk1Udgd:A02WdQ9GCOFb6eXO
Threatray 159 similar samples on MalwareBazaar
TLSH T1AC4501017D8CC031ECA226B43836E295A13B7D81672664CB65F9B3AF95B1BC0DD79363
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 469b61415979369d (1 x Gozi)
Reporter abuse_ch
Tags:exe exxon-com Gozi signed

Code Signing Certificate

Organisation:exxon.com
Issuer:GeoTrust RSA CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-09-02T23:59:59Z
Serial number: 0a2787fbb4627c91611573e323584113
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 97135cba56d0300287df31c8b39546ad4605fb9c88311aeb0b12b76ac15c46bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
445
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ed3fa33609a51baf209a5954bef6633.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-20 03:07:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/415ea245-1e8d-4079-a9e3-44cd314db7e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272456/
Detection(s):
SecuriteInfo.com.Variant.Jaik.74668.4870.22563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18866/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6286258d3baea5a8c042e7fb/reports/2aa1ed33-a177-4fcd-91a2-4547ca7ca894/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/258b303c-14a0-414b-b11f-a28ef9c44c61
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997660
Signature
Allocates memory in foreign processes
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 05:59:58 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a66e8376fc6d9283e500c6e774dc0a109656fd457a0ce7dbf40419bc8d50936
Gozi
22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483
Gozi
315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
Gozi
3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
Gozi
5298257931fb4fcb64bd0e0ba48a2f1f4f1b501813b27d2aabd82056a4feb957
Gozi
9c2a2b8d88ab02d37e21c9b97f10b26543daedf353ce76c17b445688b0a041d6
Gozi
a7e43f89844a769fd9607d78151ebcfac02f58412f7800701b9978e11c82656c
Gozi
+ 149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220519-m84yrshdep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
131e015b02007229fcb67295696ccf38bdb36d7137f6e14b652e3939ff6cfdde
MD5 hash:
c4f88db4714fff0d110e566100c05360
SHA1 hash:
f8d9932fafa9d212a3fb0e9ed52c58da1b080b2b
Link:
https://www.unpac.me/results/6a05b2cc-b6e9-4dd9-bcd0-76784ba38692/
SH256 hash:
568d80136801c6fe4b01524957c6cde12a503378a26f62035b4873312f822486
MD5 hash:
0eab66217056bc63bad3a547b5939a6e
SHA1 hash:
2ffd7acd61f9c244af18b8f456f70f96e2daaeff
Link:
https://www.unpac.me/results/6a05b2cc-b6e9-4dd9-bcd0-76784ba38692/
SH256 hash:
988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
MD5 hash:
4ed3fa33609a51baf209a5954bef6633
SHA1 hash:
aff82f0554f18c780561d6b8b1ca5a1001e42512
Link:
https://www.unpac.me/results/6a05b2cc-b6e9-4dd9-bcd0-76784ba38692/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/272456/
  
URLhaus
https://urlhaus.abuse.ch/url/2202210/
  
Delivery method
Distributed via web download

Comments