MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa
SHA3-384 hash: f06b0c87669fc2e20b312b77730597fbd610629891677bee674eeeb15f0211b8c6137b3c5263cef558e22aae7ef880c3
SHA1 hash: 022acbdec0f0fa53874aa959dccebe107d6b871f
MD5 hash: 51373389a8df39b4101b69346e3ba336
humanhash: timing-maryland-december-vermont
File name:1844sase.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:340'059 bytes
First seen:2020-07-13 07:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9afb525250df5c71d9001580ddab0687 (1 x Gozi)
ssdeep 3072:rcndAVpy3WRe9PSChC54m4QYJl6RqVsLsqYacsDIv+f7PO/P0qdAJXnwztYNWqDv:rcGJe9PCYQeacsEv6P8xWWzK
Threatray 631 similar samples on MalwareBazaar
TLSH 9B745F0074EB9F07DC9B0DB604C291F542ABEC815B6AE883BBD1B57199737F24E9C219
Reporter abuse_ch
Tags:exe GoDaddy Gozi Salesfoce

Code Signing Certificate

Organisation:DNS KOMPLEKT
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jun 8 00:00:00 2020 GMT
Valid to:Jun 8 23:59:59 2021 GMT
Serial number: E3C7CC0950152E9CEEAD4304D01F6C89
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 82975E3E21E8FD37BB723DE6FDB6E18DF9D0E55F0067CC77DD571A52025C6724
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing Gozi:

HELO: p3plwbeout18-01.prod.phx3.secureserver.net
Sending IP: 173.201.193.182
From: kerry@shopkoch.com
Subject: salesforce.com Order Confirmation 77190/441 -AU
Attachment: QO-77190441.xlsm

Gozi payload URL:
https://blueglobalit.com/afterschool/schoolgirls.php

Gozi C2:
https://vilecorbeanca.xyz/index.htm

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25106/
Detection(s):
SecuriteInfo.com.Variant.Razy.714897.26234.3464.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 07:32:06 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
b6815b7c6bd39d114da295e839d472997b073db3d57429aadad20bb73c7b47c2
Gozi
c3e0c8ce2d7aeb890c6dfb23f0a4fa1c8273935074409f5ed756f1a0874a349d
Gozi
c825554c7fd3d4616252ed1a31c998336b91f245204a7cfb26b312c7f322cd54
Gozi
c8ddc81feb1ad0ab7b47e1ac16870e1181d4c23900a08b687d3faa77d1bfa395
Gozi
ce49fc88895a8db873a98cda4fdb132c5c67c71732321421e867f9a3e8a7cab8
Gozi
e09755fd3d305a65619846f8b1a1f65008c51f39e2842b2a89e5f5d37013d17b
Gozi
ec33d59365a0a4cbc9eca3feeb9007c5590e5ead81c6a8f0c9967a8e93ba5fe2
Gozi
f09799c1563dcfbc92a1cc22cce015a9de6829fd4ac512e9c73879ae75880ef3
Gozi
f3b8ff57248d9b3f224a511ba4c73d1fd6e416745d13d9b290c02a5a9b4f2679
Gozi
fea27a041a45b4f5fd5fb49c50f0dd538e3fc2448374a2cde475204fc7cdd454
Gozi
+ 621 additional samples on MalwareBazaar
Result
Malware family:
ursnif_rm3
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:ursnif_rm3
Link:
https://tria.ge/reports/200713-tk9e1ynrne/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks whether UAC is enabled
Modifies Internet Explorer settings
Ursnif RM3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xlsm b17553745e016653cace2242fbf6be5d91642e9ec2424d43f97d47576b2fc046

Gozi

Executable exe c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/412314/
  
Dropped by
MD5 93897aa2998c1991834aa52bf86c0ad5
  
Dropped by
SHA256 b17553745e016653cace2242fbf6be5d91642e9ec2424d43f97d47576b2fc046
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25106/

Comments