MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
SHA3-384 hash: 1cdc04cabb59e7eade02ab1266795c6eb881c39e2ae42cb3a55b7bd53ad297876d9c04f2bbde7d8a28293a5734bbec70
SHA1 hash: 4cdbdb338a22fd11f0fcc973598e25ba54529db3
MD5 hash: b50ffa06eca2b3a4d92562561fc6b2d1
humanhash: aspen-orange-fanta-green
File name:b50ffa06eca2b3a4d92562561fc6b2d1
Download: download sample
Signature Gozi
Create hunting rule
File size:7'580'858 bytes
First seen:2021-10-25 14:59:47 UTC
Last seen:2021-10-25 17:33:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 196608:r175c0ur92j0iXGqUIyBOiC5Bl7l8HiX7wTPcVW1XjYvK:r175c0ur60IGqUIyBSlBhrwTP6k
Threatray 130 similar samples on MalwareBazaar
TLSH T1007623FC2D05ABA5F93577B8AA2D90BD8B7279B0E2CD41BA3FA3214FD4C54750214B48
File icon (PE):PE icon
dhash icon f0dcdcdcdcdc7030 (1 x Gozi)
Reporter zbetcheckin
Tags:32 exe Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
540
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56.zip
Verdict:
Malicious activity
Analysis date:
2021-10-25 16:56:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fae1b351-d00f-4cab-bd16-669772222700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199946/
Detection(s):
SecuriteInfo.com.Win32.FakeInstaller-FCryp.338.17247.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6176c677db358dd15ed98b9e/reports/66712e37-5a04-4a18-aaf2-0acdf5d6718b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7e6bd7b-1ccd-4f11-ba06-95f538b6d5e9
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876407
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508840 Sample: yRqHWQ91dT Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Detected unpacking (changes PE section rights) 2->34 36 6 other signatures 2->36 6 msiexec.exe 90 49 2->6         started        9 yRqHWQ91dT.exe 11 2->9         started        process3 file4 18 C:\Users\user\AppData\...\audiodent.exe, PE32 6->18 dropped 20 C:\Windows\Installer\MSI17DA.tmp, PE32 6->20 dropped 22 C:\Windows\Installer\MSI14BC.tmp, PE32 6->22 dropped 24 7 other files (none is malicious) 6->24 dropped 11 audiodent.exe 1 6 6->11         started        14 msiexec.exe 6->14         started        16 msiexec.exe 9->16         started        process5 dnsIp6 26 huyasos.in 185.98.87.196, 443, 49796, 49797 VM-HOSTINGRU Russian Federation 11->26 28 get.updates.avast.cn 11->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uga3kyqsf6zxkijxi5ahh4rodmvrwtgifjjgtzzyi6qofyqszvla._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21
Gozi
2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704
Gozi
30a4539d1a49783943ad6917b42a30788ba09ddf9eb73c504134393c2ca63da5
Gozi
4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd
Gozi
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
Gozi
ceba6a7f9a2c25a35090470c6209aefed808786c47194a18415a7898390c20cb
Gozi
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
Gozi
dce8c0cefd63cdb3a4c77b22fb7f7924060c0b5b331c5d4bcc6692d1c4fb43a7
Gozi
+ 120 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/211025-sdb76agcf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
MD5 hash:
b50ffa06eca2b3a4d92562561fc6b2d1
SHA1 hash:
4cdbdb338a22fd11f0fcc973598e25ba54529db3
Link:
https://www.unpac.me/results/855b8dda-2595-4171-898a-2763f9f5dbb5/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a181b562122f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.22
Link:
https://yomi.yoroi.company/submissions/a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199946/
  
URLhaus
https://urlhaus.abuse.ch/url/1712862/

Comments


Avatar
zbet commented on 2021-10-25 14:59:49 UTC

url : hxxp://mworx-sia.com/downloads/windefender_1.4.exe