MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
SHA3-384 hash: c9957bc4b6e98c5f09c5076ca0e0382f738878f4f0736a6717a49d608155bf16afa7673b2500374b16b8dc49e2d61d42
SHA1 hash: 06ca167ffe9c806032f27d7b621c9380eb7136ed
MD5 hash: 41a2f1ec8b11f55f61e09fb48decb301
humanhash: october-diet-edward-magazine
File name:CV.xll
Download: download sample
Signature Gozi
Create hunting rule
File size:683'520 bytes
First seen:2022-03-02 18:38:55 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:4n/zDvGHAykHSzLW/4+8bzbBSreMdSqgFK/UqW53ZJ:6zbGHAzHAjX1ocL9
Threatray 75 similar samples on MalwareBazaar
TLSH T1C7E4AE5BF7C7FAB0E6BE867A82B1851C527774520360A78F664072896D23392493DF0F
Reporter abuse_ch
Tags:Gozi xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621fb9d00cd58dbd92649640/reports/6ce66dba-9939-4d94-a43b-24e09e6ff7e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 18:39:18 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkmr3yslw6ucd4527ganbdhexm6wxwcr737iiykhuvrtidjzrvzq._file
Verdict:
unknown
Similar samples:
1c7e66126306537a453d7a792978464aa8ad5ac2f34bd1fccfffe7e0b9c6d85c
Gozi
1cbc8581430d4a524a0805f30ce5368340fc943635c76de083527446508027b1
Gozi
2f617a71f3eaab15248aa9a964c464e71d8ec784417e79c38b5951ddfa39c2de
Gozi
30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4
Gozi
97e21c7a37cbdb5cff93a18cce5b5495574be821d999e0e876c8be48ab56ca6e
Gozi
b99ee6d1625f7b0c9685c3bb49173c4425e39fbfe6a1a4eb6faf039b1ecbbfb8
Gozi
ce5c54ac577153e15fb793c022b54fb473752b876525111d6aac97369e72e85e
Gozi
e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b
Gozi
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
Gozi
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
Gozi
+ 65 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:20000 banker trojan
Link:
https://tria.ge/reports/220302-xant1afhg3/
Behaviour
Checks processor information in registry
Discovers systems in the same network
Enumerates processes with tasklist
Enumerates system info in registry
Gathers system information
Modifies Internet Explorer settings
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xll b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments