MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e798492ba6892a57c79c635679563eceacb6d1efcc38f5dfc0232518861ca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e798492ba6892a57c79c635679563eceacb6d1efcc38f5dfc0232518861ca8
SHA3-384 hash: 92b0b09378a6a490b03e15ba9e265e5a3a7f6c96c61615086cfaa25799edafa3dc5cb7d71f81cf70feea8888634ff4c2
SHA1 hash: 78f875eabdca337c3526e52ba324902e7a148ce6
MD5 hash: a3d9b510e2e17f4ea08aa9f74b54e6b5
humanhash: rugby-cola-venus-diet
File name:yn.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:413'696 bytes
First seen:2020-06-03 17:33:48 UTC
Last seen:2020-07-19 19:45:12 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e43cc7ada705744f3773e4f7b07d207d (1 x Gozi)
ssdeep 6144:p/XvoKeJzjwanAMDqig5LNL4NzQyBlH5xXnI1yLNkuyt47OuSoCHolcW/x88:hQVxDzChgLH5BnsymD47+o1lc4V
Threatray 58 similar samples on MalwareBazaar
TLSH D9949E513BB44415F2578F3D58F241228FBEADC8EA79C2C646C623DA0AA72D05B7C787
Reporter abuse_ch
Tags:dll Gozi ZLoader


Avatar
abuse_ch
ZLoader payload URL:
http://gegnacheckwebtiyclin.tk/asn/yn.dll

Intelligence

File Origin
# of uploads :
4
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 16:29:51 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
17 of 31 (54.84%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
zloader
Create hunting rule
Similar samples:
02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
Gozi
3326d4607b164078735ee55313992c18e83e6b87b75faf350b8c61a99eb2b659
Gozi
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Gozi
3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816
Gozi
4fb5e1b5eaa6a8f4ff3e80429adaa9f5af1dded814c724a7839f25636530d0e3
Gozi
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
Gozi
67b46301815d5ba32f90af114a459810902ba6d97a75821c8455b8103073b499
Gozi
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
Gozi
aeb1bfcef382789091e72e2d6cae6e471123d0e8e7a5f39c64abf5a3d9a4eaa8
Gozi
deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2
Gozi
+ 48 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:miguel campaign:03/06 botnet trojan
Link:
https://tria.ge/reports/201109-1klh8898yj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://ticlatchmisrato.tk/wp-parser.php
https://gahotimaskever.ga/wp-parser.php
http://cld.kazgau.com/wp-parser.php
https://cmso.med.cmu.ac.th/wp-parser.php
http://veamor.net/wp-parser.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll a5e798492ba6892a57c79c635679563eceacb6d1efcc38f5dfc0232518861ca8

(this sample)

  
X
https://twitter.com/James_inthe_box/status/1268221227908227073
anyrun
any.run
https://app.any.run/tasks/d19b3875-e476-4191-81cf-eb810d12d014/
  
URLhaus
https://urlhaus.abuse.ch/url/376268/
  
Delivery method
Distributed via web download

Comments