MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
SHA3-384 hash: 48d1300e4b1e84753c97e2291662aa1acd92e0a6bc8b249aa8354ba6f929995b293ed3a922870a7c47db951ea16a67c4
SHA1 hash: 8aae4053a26f5e5872ba47ef8b131420a276704b
MD5 hash: a2a9f6b8590fe99ab0ff6673450f98f8
humanhash: illinois-foxtrot-colorado-white
File name:Informazion.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:189'952 bytes
First seen:2023-01-17 14:58:01 UTC
Last seen:2023-01-17 16:35:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6313ebe7f1089deb3296f0fff7b6e6a6 (4 x Smoke Loader, 1 x RedLineStealer, 1 x Gozi)
ssdeep 3072:lJX3d5UjKWPdqs5SHcKohib61tVrrDzlfg3w38Wqs:P3AdQhqU61zrXzEQ8
Threatray 3'378 similar samples on MalwareBazaar
TLSH T1DC04BD2336D3E871C05B42314E18FAE97B7FF5324963C69727A90A6F5E702A0C66B705
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a9acedec6cac2c6 (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Informazion.exe
Verdict:
No threats detected
Analysis date:
2023-01-17 14:58:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b362be67-a055-4c94-9b6e-c7d9f691d4f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353863/
Detection(s):
PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63c6b77cd99bdea27b24f69c/reports/14fd50d4-f317-4c82-9b6c-49201a483c44/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1838e919-597f-4883-b783-f15ab18e2f15
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153185
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 14:57:34 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xadevnlzuey4upibi7jqynvmoaek6yk3rsz4gs5mp6cxakbrp62a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
28fa399c77300c2883af5b05b1b204822080ab4efc81f0c18d2c13da91b1540d
Gozi
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
Gozi
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
Gozi
77629525d17aa4d9f1774497c1ed871735298bf362431374b063ec7d78937799
Gozi
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
Gozi
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
Gozi
f6c5bf500e4232377c631d6daa24b4492485a77627a06af69383f25762afe31f
Gozi
f9884452829d3ae85a5ccb07d762b13b65a056234a31f8b1cfe34cdc1eeec57a
Gozi
+ 3'368 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7705 banker isfb trojan
Link:
https://tria.ge/reports/230117-sb6nzshf95/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.140.150
31.41.44.179
91.107.119.172
Unpacked files
SH256 hash:
7103f7350c1c6440c7d2b0eb0508155299ee952d2f3c7fd4494ea336148b611e
MD5 hash:
31cc93e9ddac46a13a913a20636f0cca
SHA1 hash:
f745b819167c4876c293d4e67e28e68d993cdcda
Link:
https://www.unpac.me/results/5ffab7e5-d242-4240-b748-b7a6b5e9d8a0/
SH256 hash:
fc1b71bb16f5f21c92a4654bd8d027414741f57f3537daff55efc16b820705f6
MD5 hash:
a07bcf19802db39b4eb1d786e5d2070b
SHA1 hash:
c1c2b079334bfa6b91df0e0bbecb07c99165d343
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5ffab7e5-d242-4240-b748-b7a6b5e9d8a0/
Parent samples :
5470ec14ff3c953e06f801b2f10b78147567a30cc921d35be0fb443df3ca254a
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f
SH256 hash:
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
MD5 hash:
a2a9f6b8590fe99ab0ff6673450f98f8
SHA1 hash:
8aae4053a26f5e5872ba47ef8b131420a276704b
Link:
https://www.unpac.me/results/5ffab7e5-d242-4240-b748-b7a6b5e9d8a0/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8064ab579a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353863/

Comments