MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e
SHA3-384 hash: 3fb1c2c3929210045e0847b920ed7851d9da98a4f84c51959307f187efe4e2829be5c7b84a7ecb5496660cd4887ec925
SHA1 hash: fa5636949c57269c2678e71cd59c4aa621125962
MD5 hash: 9ddb744191a0793933f475ac728c3bc4
humanhash: nitrogen-nevada-missouri-table
File name:certifica.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:300'032 bytes
First seen:2023-10-10 11:18:38 UTC
Last seen:2023-10-10 11:54:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43c856276c896899101e7feab79916ce (3 x Gozi)
ssdeep 6144:eh0vn9Vf8KTRN0W24TYYV27nbLfgBWHva:Fn9h8cRmqYk28BWH
Threatray 112 similar samples on MalwareBazaar
TLSH T106548E1363A1BC21E56A9F324D2DD6A43B3EFC518ED9B79A32646F1F08701A1C673712
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0ddd4c8c8d2dd (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
certifica.exe
Verdict:
No threats detected
Analysis date:
2023-10-10 16:08:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7cf8a293-d8f2-494f-a1a9-406a5a921e58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-10010271-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f40887c-ed73-4aef-9268-eb23a61fd861
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322810
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 11:17:43 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwh6w7oyt6ipnyxgn5iuqn64an5nk2bczyemszgzw6rsl2smbcpa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2827659e91ce12f283b9c619460ffac72e7eaf449b0d5c4b69e7dcd3f435c93a
Gozi
31f983668db02626b9c65b0f2fc7d14b59400c485d4ffc88418f3f76bf62ef85
Gozi
507eaaa1d406b7ab2ee84f49bda87ebca9599192e0d2fd0a13cffe9aa33d7d37
Gozi
5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2
Gozi
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
Gozi
89f95125147099a904d27ea26b3cb99c98f6d289bd6d6fc437d1e9c68fe65274
Gozi
9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4
Gozi
c4e2d88423ccf3deb091466181ecec99da2b65411afd07604216dac7d8dcc939
Gozi
d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a
Gozi
d8f9367ba0766cdae24e569453778a563689a671074096915b69f26aeb5c3efd
Gozi
+ 102 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/231010-nevnnsfa57/
Behaviour
Gozi
Malware Config
C2 Extraction:
45.93.139.24
Unpacked files
SH256 hash:
d57604507e690c5604ae75d8fae24e9d76582b2018165d1aa624de4e25bca5f7
MD5 hash:
5d700686f67f517a85bc34b849c38cd8
SHA1 hash:
c29b9a6be26facc203326530c755c502540a1c70
Link:
https://www.unpac.me/results/fe3002ce-5b9b-452a-90ee-80b0ffeecd9e/
SH256 hash:
580a6bccc51030cef877b8ac00ef6f9be7369a01bca7698c29c5cd1abe3f1990
MD5 hash:
8b61f8e62b18781430b85d62c4d705b7
SHA1 hash:
1f5a45bf2905ee0d10607a6cf59a98168a995a2a
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe3002ce-5b9b-452a-90ee-80b0ffeecd9e/
Parent samples :
a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e
b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f
84fd08c94c4bc99da0aeb4fecf9bc31f91bd52d4a6869e0e57f0acc9345e832d
SH256 hash:
a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e
MD5 hash:
9ddb744191a0793933f475ac728c3bc4
SHA1 hash:
fa5636949c57269c2678e71cd59c4aa621125962
Link:
https://www.unpac.me/results/fe3002ce-5b9b-452a-90ee-80b0ffeecd9e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a58feb7dd89f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_indirect_function_call_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments