MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
SHA3-384 hash:	1ddec0d5a1c5a5065d5d6c780f9737b21fee26f2f48dfc534fa73ef06a26aaa66e434d0c492582595bb7d8c806175f5b
SHA1 hash:	3f2e82445ff35440405dd1d439941c83fbc57fd3
MD5 hash:	d055f0b77a70a552d00e830b31a1157c
humanhash:	kentucky-march-glucose-pennsylvania
File name:	dow.exe
Download:	download sample
Signature	Gozi Alert Create hunting rule
File size:	198'656 bytes
First seen:	2023-03-01 14:17:14 UTC
Last seen:	2023-03-19 05:46:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c041ca475019eea5e643463b772effe2 (5 x RedLineStealer, 2 x Smoke Loader, 1 x LaplasClipper)
ssdeep	3072:BUEN6BVIBcdUvtFwv5LN427mYReBUHPxxI9mxKw9RAw2tK1oyYC2:B/NaOcdqtFwXfmYReBUTCzuOjKOG2
Threatray	390 similar samples on MalwareBazaar
TLSH	T13E14AE1272E0B823E16247319D29C6E46F2EFC525E7D76ABB3142B2F1D702B1C672746
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	91626e6a6a6a6a60 (2 x RedLineStealer, 2 x Glupteba, 2 x Rhadamanthys)
Reporter	0xToxin
Tags:	7709 agenziaentrate exe Gozi

Intelligence

---

File Origin

# of uploads :

4

# of downloads :

226

Origin country :

IT

Vendor Threat Intelligence

ANY.RUN

Malware family:

n/a

ID:

1

File name:

dow.exe

Verdict:

No threats detected

Analysis date:

2023-03-01 14:19:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/244f5f1f-1555-4af4-9f36-26c2ec3a4228

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370816/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.22093.14451.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63ff5e9a93921fa042361ee2/reports/fec58ebb-4580-4740-bfef-fbf97ebaa10c/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59633157-2a87-4107-a367-3c12ad77d2ee

Joe Sandbox Ursnif

Result

Threat name:

Ursnif

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1184937

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d/

ReversingLabs TitaniumCloud Win32.Ransomware.StopCrypt

Threat name:

Win32.Ransomware.StopCrypt

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-01 14:18:05 UTC

File Type:

PE (Exe)

Extracted files:

23

AV detection:

19 of 25 (76.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tuphdokovobfzeudo7utg576wyxafkc3pv2qxcbzdeqhcgnfnygq._file

Threatray gozi

Verdict:

malicious

Label(s):

gozi

Alert

Create hunting rule

Similar samples:

3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858

Gozi

42978b12f0f6a35808049532ca02a2cbbd0181bc71d6c8525a7a4d2c4861ee4a

Gozi

84908c9c014c59a36369a618dfc51316646d1dbc3314da3c66100b0706567d22

Gozi

cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a

Gozi

dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2

Gozi

df9bc10545b7066ec3bc8868a9e20379aa9a7cbb38928902520eea8fdd3ac2a7

Gozi

+ 380 additional samples on MalwareBazaar

Hatching Triage gozi

Result

Malware family:

gozi

Alert

Create hunting rule

Score:

  10/10

Tags:

family:gozi botnet:7709 banker isfb trojan

Link:

https://tria.ge/reports/230301-rl9mysga8x/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.141.252
31.41.44.33
109.248.11.112

UnpacMe ISFB_Main win_isfb_auto

Unpacked files

SH256 hash:

876860a923754e2d2f6b1514d98f4914271e8cf60d3f95cf1f983e91baffa32b

MD5 hash:

2beb711bcfd441ca2d92da0313823a41

SHA1 hash:

ebc1777b9ef7242892e8479f3330ed561c370127

Detections:

ISFB_Main

Alert

Create hunting rule

win_isfb_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/ed6f4aa7-b9f8-4038-82e1-cc646d7943e0/

Parent samples :

3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
876860a923754e2d2f6b1514d98f4914271e8cf60d3f95cf1f983e91baffa32b
9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
05b73bccd726df4df86b10b00b2ed4d6e6ba9832e3b473dd7abe6c50c8d5bfbf
061c271c0617e56aeb196c834fcab2d24755afa50cd95cc6a299d76be496a858

SH256 hash:

0368213fda034a3878243909f3c7943f971d3612af7fc1e97cb29673014ff837

MD5 hash:

ef600e76df6ed020b1b17b2f809408fd

SHA1 hash:

13654f0cbbf74d4477798f06e69cc69ba478328d

Link:

https://www.unpac.me/results/ed6f4aa7-b9f8-4038-82e1-cc646d7943e0/

SH256 hash:

9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

MD5 hash:

d055f0b77a70a552d00e830b31a1157c

SHA1 hash:

3f2e82445ff35440405dd1d439941c83fbc57fd3

Link:

https://www.unpac.me/results/ed6f4aa7-b9f8-4038-82e1-cc646d7943e0/

VMRay Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d1e71b94eab/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370816/