MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095
SHA3-384 hash: 16d1fb1be92eb15aa95e36c57a632f85ab6680932a4a27dfdbbdf7b347a502e953297d38989f457d8390dc618667db2a
SHA1 hash: 4cac658d4d2802f56852cd0f09ba161d675910a0
MD5 hash: d22c98237b0eae8d57171beb23bf958e
humanhash: mockingbird-nineteen-december-friend
File name:dip.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:3'441'152 bytes
First seen:2020-05-19 05:19:33 UTC
Last seen:2020-05-19 05:45:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4cf116229550a15d6e40c5e3e33565e8 (7 x Gozi)
ssdeep 98304:w3stBCR4uUbYDDhfV3y2YB88QWDyHtGDnfb11W0b2ZhLiUtKLjWU:wctBBUDS2R8JywrbT2ZfOW
Threatray 23 similar samples on MalwareBazaar
TLSH ADF58C017A81E025EAA91AB3CE68D5FD02157D54DF7490DB30D0BF8FBA7BAE69830711
Reporter abuse_ch
Tags:DanaBot dll geo GMX Gozi POL


Avatar
abuse_ch
DanaBot payload URL:
https://ludicrouslyl.at/3/dip.dll

DanaBot C2s:
45.147.228.92:443
172.81.129.196:443
192.99.219.207:443
54.38.22.65:443
23.82.140.201:443
51.255.134.130:443
192.236.179.73:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
815
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4022/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.67242.21020.17805.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 05:36:09 UTC
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1f5b47b9e255b731d6e019429e2b46ef1599fe64dcec7514c74184e9da62aef3
Gozi
2a46d6c287851041f7a352051cadd95de3379b8878191c925f7d423a475936e6
Gozi
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
Gozi
361ecee960829c871e1535a6231f3985b2e0b373aecf4bd8d5fea67e1c1834ec
Gozi
504eb3ba676729d316c8f6639ae45b0be030124e0c3007e9edade3b57b49e708
Gozi
6477f00ecf9e2396faf3ca69abf4d36050f653418fa6877c6f672ea08c4e95c9
Gozi
7df6cffe72503e47063c3b80da0e2df2d3932fa50cb08daa8f0d0aa8ec7d8184
Gozi
a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035
Gozi
e5433fd6cca0e48363d7e1c022becdb8a495290aae3acccac838c2a723394528
Gozi
ec4171872384e62627b06976f6e513650087c00e8c42f70d6b9d29b54e18a8e6
Gozi
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-d3qlchnakn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Blacklisted process makes network request
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DanaBot

Excel file xlsm 61b707fed05e29d8c1a1de6c41ef3c7333211f5fc95a5eed33a71ff712b02952

Gozi

DLL dll c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/364760/
  
Dropped by
MD5 fbec2ff868bf30b8f2c3872f71646604
  
Dropped by
SHA256 61b707fed05e29d8c1a1de6c41ef3c7333211f5fc95a5eed33a71ff712b02952
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4022/
Cape
Cape
https://www.capesandbox.com/analysis/4018/

Comments