MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b57e90f3f5326920735a5ebc884b4ad1b28e97b48bba4615ab6e7092ea386bd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	b57e90f3f5326920735a5ebc884b4ad1b28e97b48bba4615ab6e7092ea386bd2
SHA3-384 hash:	3881c0f9d721ee0549ea80c5eba32a45010b2dad77e562b600b92ac665480ff3763c47e546fa3f2de70853d7cb3d7345
SHA1 hash:	c2cfb5493a7028c86f2586be202f30677217ed8d
MD5 hash:	c9e18364321b63d9c82bbfe1140b3a14
humanhash:	chicken-moon-louisiana-four
File name:	azienda.zip
Download:	download sample
Signature	Gozi Create hunting rule
File size:	466 bytes
First seen:	2023-03-08 10:02:17 UTC
Last seen:	2023-03-09 08:20:04 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6:5jCIu/3kbur+T4SLSVX1BMKLyneqMne+t8FG5qtAu/WRhHEGG8JX:5jpu/UI+TrLml/zqMeEu/yrJX
TLSH	T1C9F0ABF88C181609C2DF3BF6C1BE1626E07571CC27B0808323A7E2004500BF04B82754
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	JAMESWT_WT
Tags:	agenziaentrate Gozi ITA meg mise Ursnif zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	azienda.url
File size:	191 bytes
SHA256 hash:	257413c17f63500a76f9d0216a8dee283021299a61dc0539e6e870fd5d78177b
MD5 hash:	c57ce09111a84d1110b24a8505ff5804
MIME type:	text/plain
Signature	Gozi

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Heur.28204.23661.UNOFFICIAL

TwinWave.EvilShortcut.DottedQuadDancingInHeavenZip.20230105.UNOFFICIAL

TwinWave.EvilShortcut.DottedQuadDancingInHeaven.20230105.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

remote

Link:

https://www.filescan.io/uploads/64085d5810ca2273c93e4ac7/reports/29def01c-4d15-485f-b906-2a9f127a88ea/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b57e90f3f5326920735a5ebc884b4ad1b28e97b48bba4615ab6e7092ea386bd2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b57e90f3f5326920735a5ebc884b4ad1b28e97b48bba4615ab6e7092ea386bd2/

Threat name:

Win32.Trojan.UrsnifLNK

Status:

Malicious

First seen:

2023-03-08 10:15:44 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

1 of 25 (4.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wv7jb47vgjusa422l26iqs2k2gzi5f5uro5emfnlnzyjf2rynpja._file

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7711 banker isfb trojan

Link:

https://tria.ge/reports/230308-qmtgpaha5s/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.138.6
89.117.37.146
46.8.210.82
89.116.227.15
31.41.44.51

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/b57e90f3f5326920735a5ebc884b4ad1b28e97b48bba4615ab6e7092ea386bd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Methodology_Suspicious_Shortcut_SMB_URL Create hunting rule
Author:	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:	Detects remote SMB path for .URL persistence
Reference:	https://twitter.com/cglyer/status/1176184798248919044