MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f
SHA3-384 hash: 7c5a6c3a7898ea344c39e87d66a111bc747a1eb00c7f350953d980df07d6d75be7b966b1f3182fd3ffd83ce165d8e3c8
SHA1 hash: f0fec57b42ed700d0ef123152c8b71369df57d72
MD5 hash: 6ceaad476cacd69b31f3ff6181662ada
humanhash: eighteen-beryllium-arizona-potato
File name:Agenzia_Entrate.zip
Download: download sample
Signature Gozi
Create hunting rule
File size:7'923'928 bytes
First seen:2023-03-02 12:21:06 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:xdU6C3K4ZTDbvQMVMdkY6kvtCNTK8v/XbvQMVMdkY6kLjN8:ZCfVvQMVV66bzvQMVVEjN8
TLSH T13B86335264EA8FB8C96C057D85EB0F4B6A59AF2F9106C35B2366F26B7FF32F45800405
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate BIG exe file-pumped Gozi zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
IT IT
File Archive Information

This file archive contains 10 file(s), sorted by their relevance:

File name:libpng16-16.dll
File size:241'224 bytes
SHA256 hash: d7d9d3f584067414f4196b5ff1ee9aff2eafbf3a686340ae18e5dc9ea7c1aaef
MD5 hash: 7e82a150c75c5b30dc82d35af29b8387
MIME type:application/x-dosexec
Signature Gozi
File name:mfcsubs.dll
File size:36'864 bytes
SHA256 hash: bb4f7ea087bec11099be250a0eb4dbaffe6485c60303cebea179a5c602fb061b
MD5 hash: 817f94733db9bcea6bcd4fd81296f82b
MIME type:application/x-dosexec
Signature Gozi
File name:Xaml.Controls.Tabs.dll
File size:1'713'152 bytes
SHA256 hash: df2a64f41527e99678f127c325e1d1e39599008cb11eb2f39f371211035d979e
MD5 hash: fc64906f12cad3266c738f02f5674056
MIME type:application/x-dosexec
Signature Gozi
File name:XblAuthManager.dll
File size:1'049'088 bytes
SHA256 hash: 1a5dce5775cd0a511f0edcb23669525590f0f94455c567ddb76dd15c8f25d347
MD5 hash: b62c41e672194a919028786e4a480541
MIME type:application/x-dosexec
Signature Gozi
File name:DMWmiBridgeProv.dll
File size:4'448'256 bytes
SHA256 hash: ef7da20805406961052d0146cec2c7f1b5ba4db17a114e15a237f33e5768e7cb
MD5 hash: e246609fb36a7acf63392533e48c285e
MIME type:application/x-dosexec
Signature Gozi
File name:audit.exe.mui
File size:4'096 bytes
SHA256 hash: fefb48f24b49a3d53c05cd995857d9305d70e91f3c14661fe24ebe3b5f1b8d3f
MD5 hash: 7b24d9094c5e280339308c3c07f590c4
MIME type:application/x-dosexec
Signature Gozi
File name:AppManMigrationPlugin.dll
File size:1'246'528 bytes
SHA256 hash: a3fcb57f0246a47954d295a93238b9030ecbc8b4629171d1970d3a1a7e116c6c
MD5 hash: 3e4ead79d46b37df5ea8304d0ac81203
MIME type:application/x-dosexec
Signature Gozi
File name:cimwin32.dll
File size:2'112'000 bytes
SHA256 hash: d644b180964e94c4764a08e0dbf85128b5ffb11c13e239892d0fd08ec450c9fd
MD5 hash: 0afa87ff5ad4a8c03d85e3b4b02bbc26
MIME type:application/x-dosexec
Signature Gozi
File name:wxmsw30u_core_gcc_custom.dll
File size:4'052'040 bytes
SHA256 hash: 0e2b3d07a2a1566ebc88c62f5686b7442ab080748aaf3724a79905cec7ce2710
MD5 hash: 96dc90661d7cce32c07ac48b5cad827a
MIME type:application/x-dosexec
Signature Gozi
File name:Informazione_Azienda.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:751'328'968 bytes
SHA256 hash: 360662fe225833af7db84c550f8fb9f7afe7333a9b0e2ca436c9c242d9a87975
MD5 hash: 6b2289e478ba947fcdf3162d7dfcc866
De-pumped file size:1'312'768 bytes (Vs. original size of 751'328'968 bytes)
De-pumped SHA256 hash: f463ccd1be5c2c57dbe7e231f5452a143de6ec69eea81fe01a1641178a8f6845
De-pumped MD5 hash: 06ec1b134b30fcbf5a4337ef5dad21eb
MIME type:application/x-dosexec
Signature Gozi
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 12:22:52 UTC
File Type:
Binary (Archive)
Extracted files:
51
AV detection:
9 of 25 (36.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7tlknkuvlyzukw7hjskyujtobowkkjznxtsvahyrkken3k4zrxq._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7709 banker isfb persistence trojan
Link:
https://tria.ge/reports/230302-pxcfgscf2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.141.252
31.41.44.33
109.248.11.112
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

zip cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2555042/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2555048/
  
URLhaus
https://urlhaus.abuse.ch/url/2555049/
  
URLhaus
https://urlhaus.abuse.ch/url/2555050/
  
URLhaus
https://urlhaus.abuse.ch/url/2555051/
  
URLhaus
https://urlhaus.abuse.ch/url/2555053/
  
URLhaus
https://urlhaus.abuse.ch/url/2555055/
  
URLhaus
https://urlhaus.abuse.ch/url/2555056/
  
URLhaus
https://urlhaus.abuse.ch/url/2555058/
  
URLhaus
https://urlhaus.abuse.ch/url/2555052/
  
URLhaus
https://urlhaus.abuse.ch/url/2555054/
  
URLhaus
https://urlhaus.abuse.ch/url/2555057/
  
URLhaus
https://urlhaus.abuse.ch/url/2555063/
  
URLhaus
https://urlhaus.abuse.ch/url/2555059/
  
URLhaus
https://urlhaus.abuse.ch/url/2555061/
  
URLhaus
https://urlhaus.abuse.ch/url/2555060/
  
URLhaus
https://urlhaus.abuse.ch/url/2555065/
  
URLhaus
https://urlhaus.abuse.ch/url/2555066/
  
URLhaus
https://urlhaus.abuse.ch/url/2555067/
  
URLhaus
https://urlhaus.abuse.ch/url/2555069/
  
URLhaus
https://urlhaus.abuse.ch/url/2555062/
  
URLhaus
https://urlhaus.abuse.ch/url/2555068/
  
URLhaus
https://urlhaus.abuse.ch/url/2555064/
  
URLhaus
https://urlhaus.abuse.ch/url/2555070/

Comments