MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Maldoc score: 6


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea
SHA3-384 hash: a3f07479006e0600b5b9f5f9bb9f7fae2571b591e7c5dbe8813f03360634b530f8f2277bcc14fc8bf074025e4b1a5356
SHA1 hash: 46c95102c15072749fd217cfde43fdca4d94aabd
MD5 hash: 1cb200fa2e050e3f85cbfbe9262cccab
humanhash: cat-lion-fish-timing
File name:XSG4313729.xls
Download: download sample
Signature Gozi
Create hunting rule
File size:85'504 bytes
First seen:2021-11-30 11:16:58 UTC
Last seen:2021-11-30 14:30:26 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:+U0IvlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0Vs4aZpfsXCJtaMLcsNmsiqT:+U0mlYkEIuPm3fNRZmbaoFhZhR0cixIq
TLSH T185834FD96B63ED75DF52D6328CD991956332EC021A7E43873140F3393EB8972EE02686
Reporter JAMESWT_WT
Tags:brt Gozi ITA xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 6
OLE dump

MalwareBazaar was able to identify 14 sections in this file using oledump:

Section IDSection sizeSection name
1118 bytesCompObj
2264 bytesDocumentSummaryInformation
3172 bytesSummaryInformation
462072 bytesWorkbook
5454 bytes_VBA_PROJECT_CUR/PROJECT
6104 bytes_VBA_PROJECT_CUR/PROJECTwm
7992 bytes_VBA_PROJECT_CUR/VBA/Foglio1
85137 bytes_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
93040 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
101977 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
11271 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
122641 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
13926 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
14562 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousRunMay run an executable file or a system command
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
4
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XSG0895509.xls
Verdict:
No threats detected
Analysis date:
2021-11-30 11:13:51 UTC
Tags:
macros
Link:
https://app.any.run/tasks/92292198-7414-424c-adfa-e809b42a2901

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/209889/
Detection(s):
TwinWave.EvilDoc.GoziITAFugazi.20211130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Result
Verdict:
Suspicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
macros
Link:
https://www.filescan.io/uploads/61a6082fbbfd2af97cbc6481/reports/6e13f2d7-aed6-49aa-9656-bb25faeba31f/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
expl
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/898613
Signature
Document contains an embedded VBA macro with suspicious strings
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea/
Threat name:
Document-Office.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 11:04:27 UTC
File Type:
Document
Extracted files:
18
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wav6rirqzdb4skyvgwwuj7rmjicymymvzmvzeq65tmwurv6lgxva._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/211130-ndpq2aegck/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209889/

Comments