MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1
SHA3-384 hash: 7afa3c949ff169cc3e33f2757c96a0167198775d356f39c1d4c9a3513360a45ef689f73ea27369b402c1722094e7b8bd
SHA1 hash: 8c5f42a5142a86e0ac4819f34340ac7e6ea498a2
MD5 hash: 30511605bee5a35ff80fde0de0105bd4
humanhash: paris-juliet-north-whiskey
File name:document,07.20.doc
Download: download sample
Signature Gozi
Create hunting rule
File size:112'694 bytes
First seen:2020-07-28 19:07:22 UTC
Last seen:2020-08-02 20:57:50 UTC
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 3072:1fW16bdRfBUjNa92ypWbHie8p9D9ivLsm0206BmNZ:8UUjNa9pyHiN8Tsm0206y
TLSH 94B3E00BC550D302C53801FA98870F7A6E1B2B2DB4D09ADF19A50E1FFE7576269DE0AC
Reporter malware_traffic
Tags:doc Gozi IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.VanillaIceIceIDBaby.20200720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Running batch commands by exploiting the app vulnerability
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400909
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Registers a new ROOT certificate
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Certutil Command
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252718 Sample: document,07.20.doc Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for domain / URL 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 7 other signatures 2->35 7 WINWORD.EXE 43 40 2->7         started        10 wuapihost.exe 2->10         started        process3 signatures4 39 Obfuscated command line found 7->39 41 Document exploit detected (process start blacklist hit) 7->41 12 cmd.exe 1 7->12         started        14 cmd.exe 2 7->14         started        process5 file6 17 1.exe 14 12->17         started        21 conhost.exe 12->21         started        25 C:\ProgramData\1.exe, PE32 14->25 dropped 23 conhost.exe 14->23         started        process7 dnsIp8 27 8cfayv.com 92.63.98.49, 49732, 49733, 80 THEFIRST-ASRU Russian Federation 17->27 37 Registers a new ROOT certificate 17->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1/
Threat name:
Document-Word.Trojan.Powload
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 19:09:05 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/200728-t3qc7lyw2e/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Office loads VBA resources, possible macro or embedded object present
An obfuscated cmd.exe command-line is typically used to evade detection.
An obfuscated cmd.exe command-line is typically used to evade detection.
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments