MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f
SHA3-384 hash:	177524b30a9f88c832718aa7d02d911d386f483db9ec0ef725314e9edc22f46c71286d159b2220d887960587db7eeb93
SHA1 hash:	068b3e66b7fad8b7f459ee6bd15ebeea164813ef
MD5 hash:	d922178922a02e77833537fc62b20809
humanhash:	five-mike-maryland-washington
File name:	impresa.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	300'032 bytes
First seen:	2023-10-10 11:54:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	43c856276c896899101e7feab79916ce (3 x Gozi)
ssdeep	3072:GlNF1wKkcvX9AMnk93vQj+hBBkjVabfm+bNX0qxg9waJRaI/aT:mi0vX9AMkxn6j0bfm+bNkdBa
Threatray	113 similar samples on MalwareBazaar
TLSH	T1F3548E1363A1AC21D5268B329D2ED6A4373EFD51CED5679A33687F2F08701A1C672B13
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	70d0dcd4d0c8d2dd (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

373

Origin country :

Vendor Threat Intelligence

Malware family:

ursnif

ID:

File name:

impresa.exe

Verdict:

Malicious activity

Analysis date:

2023-10-10 15:05:53 UTC

Tags:

gozi ursnif dreambot banker stealer

Link:

https://app.any.run/tasks/a4944e6d-f070-4415-b7db-5a4695dd030c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Generic-10010271-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/65253b98a31588d184f5fcd5/reports/4a532723-a651-4a50-b613-65c17b051861/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c16e9f04-9319-4869-8ee9-1f7672202c40

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1322868

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

gozi

Link:

https://mwdb.cert.pl/sample/b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-10-10 11:54:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xhld7wzo2xgpwtot7gybgxjzfks6fwpvcjkvb6lcakbdie3vfzxq._file

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5050 banker isfb trojan

Link:

https://tria.ge/reports/231010-n3fjnafb96/

Behaviour

Gozi

Malware Config

C2 Extraction:

45.93.139.24

Unpacked files

SH256 hash:

d57604507e690c5604ae75d8fae24e9d76582b2018165d1aa624de4e25bca5f7

MD5 hash:

5d700686f67f517a85bc34b849c38cd8

SHA1 hash:

c29b9a6be26facc203326530c755c502540a1c70

Link:

https://www.unpac.me/results/38c41f12-88bb-4c0b-81da-579151725a00/

SH256 hash:

580a6bccc51030cef877b8ac00ef6f9be7369a01bca7698c29c5cd1abe3f1990

MD5 hash:

8b61f8e62b18781430b85d62c4d705b7

SHA1 hash:

1f5a45bf2905ee0d10607a6cf59a98168a995a2a

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/38c41f12-88bb-4c0b-81da-579151725a00/

Parent samples :

a58feb7dd89f90f6e2e66f514837dc037ad56822ce08c964d9b7a325ea4c089e
b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f
84fd08c94c4bc99da0aeb4fecf9bc31f91bd52d4a6869e0e57f0acc9345e832d

SH256 hash:

b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f

MD5 hash:

d922178922a02e77833537fc62b20809

SHA1 hash:

068b3e66b7fad8b7f459ee6bd15ebeea164813ef

Link:

https://www.unpac.me/results/38c41f12-88bb-4c0b-81da-579151725a00/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b9d63fdb2ed5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b9d63fdb2ed5ccfb4dd3f9b0135d392aa5e2d9f5125550f96202823413752e6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_indirect_function_call_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample