MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
SHA3-384 hash: 78b74424a1122942655eb67613bf0113f3675db56a3be57767f925bf8ea2434b29576d6ac4333f1e478a8e9566e12ac0
SHA1 hash: df15a567b3661ab3a5e4a0422a0ac30a2403700e
MD5 hash: 547dcb2e392adc56d9d7ed1748ba99c4
humanhash: table-nebraska-winter-bravo
File name:df15a567b3661ab3a5e4a0422a0ac30a2403700e.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:233'472 bytes
First seen:2023-06-21 12:42:23 UTC
Last seen:2023-06-21 12:58:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a5471e9b5a4d51109b645937067bcab0 (2 x RedLineStealer, 1 x Fabookie, 1 x Tofsee)
ssdeep 1536:q3T+04u0HGH70E+YgNHeqnrov7P6BzxONmGWRTwCbaioimf5Bv8tor8ZFb/2e7eJ:q3Tp70oxD2zJGmMAe5BkKoieLPNoHFh
Threatray 223 similar samples on MalwareBazaar
TLSH T19F34AF12FDF0AC32D526DB729D6ED5E43B1DFD508F94679B22182A1F09B01A0CA72379
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0164606a62626c10 (1 x Gozi)
Reporter TIntel484
Tags:exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
331
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df15a567b3661ab3a5e4a0422a0ac30a2403700e.exe
Verdict:
No threats detected
Analysis date:
2023-06-21 12:45:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4646617-514b-4e7a-beda-7d51dc95e86a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401355/
Detection(s):
Win.Dropper.Tofsee-10004548-0
Create hunting rule

Win.Dropper.LokiBot-10004663-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6492f056bf0c96409e7991a2/reports/192de433-6f29-4df4-80cd-ce042be6731e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2d92433-05db-48b9-8f4f-1e96b1c94676
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259005
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 09:23:38 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zex27atinxfnyamhbhhedahw4hxn36upuqfbsbswygdvrhfejysa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
Gozi
a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971
Gozi
d42f53c75818af4aae281a0c3f760e20643852405d69134d03f6ba5c62efe316
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
+ 213 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:10000 banker isfb persistence trojan
Link:
https://tria.ge/reports/230621-pxwt5aag4v/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://avast.com/in/login/
http://94.247.42.61
https://avast.com/ibgn/login/
http://185.158.251.39
https://duckduckgo1.com/search/intet/
http://45.155.250.225
https://duckduckgo2.com/searfch/inteft/
http://79.132.128.95
Unpacked files
SH256 hash:
e8b210e3a809761cea5b96f51fc0d2daf9435b5ee6cd3e7ca665fefd7d798fb3
MD5 hash:
49749253422cff10ef8a2b5653bf651f
SHA1 hash:
5e0c89572cd579dd6f8e404d5f2c5c797d995fec
Link:
https://www.unpac.me/results/171632a3-3615-4f13-9cf9-cbd84137c969/
SH256 hash:
968916d136d61bc031ce16e9d7922920ecb06498752279b608ef24bddfaa032a
MD5 hash:
74ed83c35467c116bab9674bc38725b7
SHA1 hash:
3632b347cf2e2c0c803e1a875bbd124c9e1b394a
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/171632a3-3615-4f13-9cf9-cbd84137c969/
SH256 hash:
c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
MD5 hash:
547dcb2e392adc56d9d7ed1748ba99c4
SHA1 hash:
df15a567b3661ab3a5e4a0422a0ac30a2403700e
Link:
https://www.unpac.me/results/171632a3-3615-4f13-9cf9-cbd84137c969/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c92faf82686d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401355/

Comments