MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322
SHA3-384 hash: 55fda26d067b4433a99d34be6276db7ca4e35af7d8696b859d756c859eb63e3976fceb2f95b40a6ed5ade955c8415dfe
SHA1 hash: c889ef53f6964ead132578f8db1b15c36cc945ee
MD5 hash: 1c8632e1035b5967c4eb2eccec5a7369
humanhash: magnesium-thirteen-maine-robert
File name:~1077093.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:181'248 bytes
First seen:2020-08-21 20:34:04 UTC
Last seen:2025-04-09 11:30:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b6a58ed6f8692391c8a2472bba4b336 (1 x Gozi, 1 x IcedID)
ssdeep 3072:xGE6xMl7e33J09W88647LgQC3PRYSnFFKh2:09xA63un8bgXRJ
Threatray 131 similar samples on MalwareBazaar
TLSH 5F049E213282C037E21712384726E7749BAEB8314F75678FBBC156AD9F256E1CB253C6
Reporter malware_traffic
Tags:89-44-9-186 exe Gozi IcedID

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49592/
Detection(s):
SecuriteInfo.com.Generic.mg.1c8632e1035b5967.6689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/445225
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 275348 Sample: #U007e1077093.exe Startdate: 23/08/2020 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Contains VNC / remote desktop functionality (version string found) 2->70 72 Uses net.exe to modify the status of services 2->72 74 2 other signatures 2->74 8 #U007e1077093.exe 3 2->8         started        12 kuezau.exe 2 2->12         started        process3 dnsIp4 50 ubbifeder.cyou 89.44.9.186, 443, 49723, 49733 M247GB Romania 8->50 52 siesetera.club 8->52 80 Detected unpacking (changes PE section rights) 8->80 82 Detected unpacking (overwrites its own PE header) 8->82 84 Early bird code injection technique detected 8->84 92 2 other signatures 8->92 14 msiexec.exe 1 5 8->14         started        86 Contains functionality to detect hardware virtualization (CPUID execution measurement) 12->86 88 Writes to foreign memory regions 12->88 90 Allocates memory in foreign processes 12->90 signatures5 process6 dnsIp7 54 192.168.2.1 unknown unknown 14->54 56 ubbifeder.cyou 14->56 58 siesetera.club 14->58 46 C:\Users\user\AppData\Local\user\kuezau.exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\...\sqlite64.dll, PE32+ 14->48 dropped 60 Tries to steal Mail credentials (via file access) 14->60 62 Tries to harvest and steal browser information (history, passwords, etc) 14->62 64 Tries to detect virtualization through RDTSC time measurements 14->64 66 Performs a network lookup / discovery via net view 14->66 19 systeminfo.exe 1 1 14->19         started        22 cmd.exe 1 14->22         started        24 net.exe 1 14->24         started        26 5 other processes 14->26 file8 signatures9 process10 signatures11 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->78 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 chcp.com 1 22->32         started        34 conhost.exe 24->34         started        36 net1.exe 1 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        44 2 other processes 26->44 process12
Detection:
icedid
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322/
Threat name:
Win32.Trojan.Slepak
Create hunting rule
Status:
Malicious
First seen:
2020-08-21 20:35:05 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
icedid
Create hunting rule
Similar samples:
341621050c83b242a1779e5a88f4c6389b7efc1406d5e5ba8e7828a0d74fbb86
Gozi
4438467f45eedf09a6ddf01129a914bd3846bc7771bc15bfb512b85337b5d108
Gozi
58215823021c2da84fcf725bbb9b118aba9b72178577cba1d4c69545b9ae7fa2
Gozi
5bc0e27e86d9a4d5e7005669c12b97b56a42ac17fb5cc93de24f38527b5e97e1
Gozi
5bd66c88148005029d20c92e1d793f8d41f47a273a9334f9a85ec31148d0b040
Gozi
648fa862ce3d2230c2754a31f45d20b74f70d8648a9ad5897ba0d6a35627b592
Gozi
75195784a153205aad34eea77c000358081fd1e1c8abab6e532b2ae8e983c44b
Gozi
9ad02a119c0df3fb652557b2b5c3136a3fb7f80e78774f1bffd5237eb2d9a514
Gozi
d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
Gozi
e3be616e258172d4596cd61cbb6ec39b6e7aa0cf8138793783e21a4b6ab4c038
Gozi
+ 121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200821-v9r61m72aj/
Behaviour
Discovers systems in the same network
Gathers network information
Gathers system information
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d748a00416baf3e4e5bf0a4e8312cd9c88872a6ab594628d7ff6d206e6705322

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49592/

Comments