MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548
SHA3-384 hash: b136855f001e26f32d50153e1716cfc5cdad6e989993c2b69e3dfeebec9c4d6ad8f26be46cfb4c4b98a4446f0acb6a5e
SHA1 hash: b96e96b206aa49c958f1f72faa9c94836ba40ee8
MD5 hash: 8471983647373e0bbf28b42cbeef05cd
humanhash: florida-robert-july-freddie
File name:server.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:189'952 bytes
First seen:2023-03-08 20:21:12 UTC
Last seen:2023-03-08 21:52:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d87275419603abb20f5f1f078df04ba (7 x RedLineStealer, 2 x GCleaner, 2 x Stop)
ssdeep 3072:99TF8soKOiplAtOJy6xOAOwk+JpWV9I7C+vaaTqF:R7ojip5DOwk+JpWV9oCua7
Threatray 433 similar samples on MalwareBazaar
TLSH T192047D0253E06C35F667C7315E3EF2E67A7EF4614E3BE79922145A2B09B11E2C963312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 916a6a6a6a6a6a64 (28 x Smoke Loader, 25 x RedLineStealer, 9 x Tofsee)
Reporter abuse_ch
Tags:7711 exe geo Gozi isfb ITA Ursnif


Avatar
abuse_ch
Gozi payload delivery via rogue SMB server:
smb://46.8.210.57/Agenzia/server.exe
smb://46.8.210.31/Agenzia/server.exe

Gozi C2s:
62.173.138.6:80
89.117.37.146:80
46.8.210.82:80
89.116.227.15:80
31.41.44.51:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
server.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 20:22:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6894ce0-0c8e-430d-812b-8f208b7c5cc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372690/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7861.19463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/6408ee6bf0b8f72099e86986/reports/b4de1b7b-51f6-4b43-9ec6-4e907a409d3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2192932-45e7-4452-852e-9d129472ca5e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1189764
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 20:29:17 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnbgiyppod75maolmstiprro3wqgnom2phsj3cajdaya3jplmvea._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0afb28c467b02cc9b91cbd45a6b0eee38a4c0c93c11efe7e892e9ae8a0f250a4
Gozi
170dd3abe427fc961d381ffd472d1c19c0a5c2943339e820850b09017adb0393
Gozi
210dd5fc781ed257780772f5119da596b87f0208d87d8c36b1729e4153ab7ac2
Gozi
76a4371031b41468ffa00f983d52207391e0a2d80861f170fcf69645ae3fd903
Gozi
7c98bc665b12e5b4602947e7f6eab31e12497516e2888e0edbd7c6e9dfd3ec49
Gozi
ade76c27d8fcf82e28efe778f9e848f6da9ecd4bb2129bb59278d78b69523ad2
Gozi
ca2e28ee7e793e7748701bb3875d0e11fe24a1aacb9b3cdc1865c890423f51ae
Gozi
d479fbc3b01161bcdbfa1a314df42b29947ba1c115139aa93cb03997f4deb864
Gozi
ec4a3b4195a3e96b2368b55ebb4c3c64e07a2d84e8f5b8a501b0547473ebf9d9
Gozi
f6ae8c2cb6a6fa1c6983d535640e6b1589434bc8822f5af1d9c7e1bdee658810
Gozi
+ 423 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7711 banker isfb trojan
Link:
https://tria.ge/reports/230308-y5jzzagh27/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.138.6
89.117.37.146
46.8.210.82
89.116.227.15
31.41.44.51
Unpacked files
SH256 hash:
5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f
MD5 hash:
e12d09d7f5bc156c651ad31508626593
SHA1 hash:
afdbc23b99f31640b473772dc1db24ffc9ed61a9
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/cab2e354-784d-431f-ae9d-fe1ec0e8a050/
Parent samples :
8ca6d4d0d27c950e7bc234bc16b0a89bf9122ac5b708fa215ce7bf4009387350
5bd64a7b018db5b4538d8077ad7a50871dc6c5682a1f151cc5e8a42673e4384f
2b31a64f7d221dfd8ac33edaf101a4c1ac73f36dcd7abb976517fb1e90750544
bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548
SH256 hash:
f92b7309b1f8db85c47cf85f63fc630aa38bd3c8d462f25414b958de50b85b71
MD5 hash:
b1ae3f12e513cd39695206b0ffb7e474
SHA1 hash:
8e5779b84417fb83708078274c1329d27f33ff41
Link:
https://www.unpac.me/results/cab2e354-784d-431f-ae9d-fe1ec0e8a050/
SH256 hash:
bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548
MD5 hash:
8471983647373e0bbf28b42cbeef05cd
SHA1 hash:
b96e96b206aa49c958f1f72faa9c94836ba40ee8
Link:
https://www.unpac.me/results/cab2e354-784d-431f-ae9d-fe1ec0e8a050/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb426461ef70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe bb426461ef70ffd601cb64a687c62edda066b99a79e49d880918300da5eb6548

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372690/

Comments