MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6
SHA3-384 hash: 99f167dda5de54905e7479a16a2d62b619f1b0de5bfea0dcf90341989d779f268d05150984c192605fb546a9dcfa260c
SHA1 hash: 2a93661b7d6d39dd08fe8b04efd44ebe05300e33
MD5 hash: dd173b4a927bf731b8f53b0db1b18876
humanhash: robert-seven-undress-fifteen
File name:startca.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:155'648 bytes
First seen:2022-01-06 10:54:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f26f5bea701561745dea20a33c88cd5f (2 x ZLoader, 1 x Gozi)
ssdeep 3072:U29+hIl2epp1L5GWp1icKAArDZz4N9GhbkrNEk1Yz:LwANp0yN90QEz
Threatray 248 similar samples on MalwareBazaar
TLSH T159E3AE5263E400B6E4BA57B099F306875A31BCE19F7883EF2395959E0E336D0E932357
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JoulK
Tags:exe Gozi ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
startca.exe
Verdict:
No threats detected
Analysis date:
2022-01-06 11:02:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/120cb02d-f600-454d-b65b-5e81fd845492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217549/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.29362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61d6ca8b135d97804c0f35ae/reports/520d7901-632b-42d7-8baf-009d1b3baed2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/03096e98-e009-4fde-a9a3-151d57b234f5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/916256
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548735 Sample: startca.exe Startdate: 06/01/2022 Architecture: WINDOWS Score: 84 26 Multi AV Scanner detection for domain / URL 2->26 28 Antivirus detection for URL or domain 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 3 other signatures 2->32 7 startca.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 powershell.exe 14 17 11->13         started        18 conhost.exe 11->18         started        dnsIp6 22 teamworks455.com 134.0.117.16, 443, 49756 AS-REGRU Russian Federation 13->22 24 192.168.2.1 unknown unknown 13->24 20 C:\Users\user\AppData\Roaming\ca1.dll, MS-DOS 13->20 dropped 34 Powershell drops PE file 13->34 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 17:44:38 UTC
AV detection:
1 of 43 (2.33%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
Gozi
26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
Gozi
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
Gozi
46802842ff967e3810af08e372b0f969de57f2ed826498398c5367525fec0bc9
Gozi
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
Gozi
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
Gozi
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
Gozi
d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d
Gozi
eb6b810f2cb85c0a1a028c53e4c346b3ec7601d1853758c3b8ce56eac6f96be8
Gozi
+ 238 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:9093 banker persistence trojan
Link:
https://tria.ge/reports/220106-mz5hyabbf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
http://google.mail.com
http://392184281.com
http://592182812.com
https://392184281.com
https://592182812.com
Unpacked files
SH256 hash:
b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6
MD5 hash:
dd173b4a927bf731b8f53b0db1b18876
SHA1 hash:
2a93661b7d6d39dd08fe8b04efd44ebe05300e33
Link:
https://www.unpac.me/results/38743d1a-1fcf-4787-b8f0-1356f83f4b8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217549/

Comments