MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
SHA3-384 hash: 7b88fd05114ab267bf5dbbb9098cc1df92c5896437b83986d03fad7fee39cb1c6296a8cd51058efdd7bb8876fb23fa38
SHA1 hash: b27012c54b9c3f16d129c87304da5f5a058e7ca4
MD5 hash: aa225301dd06b562ed9668df7e742101
humanhash: cardinal-yankee-avocado-enemy
File name:entrat.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:286'208 bytes
First seen:2023-01-10 09:49:06 UTC
Last seen:2023-01-10 09:49:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d0a1ca79cefa40d8115a32ff873943f (13 x Smoke Loader, 8 x Tofsee, 5 x RedLineStealer)
ssdeep 3072:0GXEMhbsLf5crpWfp3U5Nd1YPKQeQZ1ey6SL8a/uX8YmPVrWAnOxQpWZe07rCt9Y:bwLMpWfp3Dr1ReRmHnOxQi7r/
Threatray 833 similar samples on MalwareBazaar
TLSH T18854BF813693D472C8750533F915CEF4A6FABE72991A566373183B1F7EB12E08E26603
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 9a9ecedecee6cec6 (2 x RedLineStealer, 1 x Gozi, 1 x Tofsee)
Reporter JAMESWT_WT
Tags:62-173-138-226 agenziaentrate exe Gozi isfb ITA SMB Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
entrat.exe
Verdict:
Malicious activity
Analysis date:
2023-01-10 08:51:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b362341-ab97-4999-97f5-62cdb04b1489

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351453/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.16369.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63bd34ccfc9525ae8a4525d0/reports/6890a0bb-3c2f-4f20-be18-670a12edc039/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/faf32b99-218d-4a12-a72e-4ee5babc0165
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148603
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 09:50:08 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubo4q6ay3lphcz7xqjajvy6wag7curlfxclou73umects4smlv2q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
085f5ba3ede4736e4532ee9a6dd13f124696e14ae32040777bf65daf6cb9b1eb
Gozi
0cad467c0709098827b014336cfc985819a55e937f75605b8d74a725a1c08f49
Gozi
286b152411afeb6b43d9e05cb520831f1e8ff9a8f3beaa73a181ac06ac8299f1
Gozi
4c735faa784e0918e35d6d8aa90f43b4c712061dd409075756206fc11aa59392
Gozi
4d35ccf5e2aa09c71975568b9529133f7043fb520c188575c1e25a5ab8bd480e
Gozi
746746aabb0cdea77b04723db8a2d2ee92a3725d4b36455648fdf712885b54d5
Gozi
98be3c4ec1dd1d276844d37eea1f8591585111f0dd6bd39e79fce089f612f5d3
Gozi
9ab3ca285ebedc42099fdefb8d3c8d2058e71b205fa5e417d10cd4751bac26b0
Gozi
ada273c52847e0fc851983fe48d9536bd6e16b8da77da492ce282636d086f798
Gozi
d745a91746ba72f60798b18a96973d25497008f82ad3b783f7db1a23c9ef0d05
Gozi
+ 823 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7703 banker isfb trojan
Link:
https://tria.ge/reports/230110-ltyyjabc9s/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.138.234
31.41.44.112
91.107.119.114
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b410a924-9d14-4cc8-b17e-cdb2cc033877
Unpacked files
SH256 hash:
90899f0cae6331ec8615641155f1b1018434d028644ff725af600b6e78c47c71
MD5 hash:
a3068aae0158ed3dd9805755394f28c1
SHA1 hash:
30d56782a1782982dddf315d0e8f4810e85acb67
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/11000769-711d-4e12-9cd1-71fc8cfefb43/
Parent samples :
a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
789bd7d9d615cc2a6cd59593b7700272ff937d944572441c33659e5b96c79ff4
8f1c5b1771516be31b865dfc6b1829e9209e50baa159fc526ddac231430b2789
SH256 hash:
a5ba2a6f406b1805da8faa11bb725217512871280754a24e89b4c703036474a0
MD5 hash:
0d72a6d28a48621d96bfceb6baec42e5
SHA1 hash:
22b739a94f48d2ff26b6432245945a2fb984b8da
Link:
https://www.unpac.me/results/11000769-711d-4e12-9cd1-71fc8cfefb43/
SH256 hash:
a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75
MD5 hash:
aa225301dd06b562ed9668df7e742101
SHA1 hash:
b27012c54b9c3f16d129c87304da5f5a058e7ca4
Link:
https://www.unpac.me/results/11000769-711d-4e12-9cd1-71fc8cfefb43/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a05dc87818da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a05dc87818dade7167f782409ae3d601be2a4565b896ea7f74610539724c5d75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351453/

Comments