MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbe4ba4eb8c4d9617d4f285b869f217c2dd0854d400b8cb0bae1709c21ce005c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbe4ba4eb8c4d9617d4f285b869f217c2dd0854d400b8cb0bae1709c21ce005c
SHA3-384 hash: 5180b8226f3ebe8380ed4b3917493b891726a0a0629fefbd4a904d47974266503e714fbd356d1038e888f44d9b71d914
SHA1 hash: 2d62e9894022170d7eb52e9278ce514924b9a46c
MD5 hash: 676c0247f71d862733001396629f7419
humanhash: avocado-angel-fanta-alpha
File name:file_78840.vbs
Download: download sample
Signature Gozi
Create hunting rule
File size:1'909'343 bytes
First seen:2021-05-12 16:29:57 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:xEaMf/98XsO7V6YtFCcCXS20vDClnNP3v/e:xPMfV8Xs2V6YtFCcCXS20vDClnNP3v2
TLSH F8952D1A0A269573A59E0A8196D7495BB6F3C74C9F8C02453F32BDEF1C7A0CDA1307E6
Reporter rmceoin
Tags:Gozi Ursnif vbs


Avatar
rmceoin
This was contained inside a password protected ZIP named file_78840.zip that came from the URL https://1drv.ms/u/s!AiIsZsbRbvS0eKklzU_b_zX6SEU?e=8yFcYk

If you rename the VBS to contain "48446" or place an empty file named %USERPROFILE%\Downloads\48446.txt it will run the script in debug mode which will emit MsgBox while running.

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155464/
Detection(s):
SecuriteInfo.com.VBS.Heur.ObfDldr.26.45307C74.Gen.22104.26033.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Deleting of the original file
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/780108
Signature
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbe4ba4eb8c4d9617d4f285b869f217c2dd0854d400b8cb0bae1709c21ce005c/
Threat name:
Script-WScript.Dropper.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 23:37:32 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pslutvyytmwc7kpfbnynhzbpqw5bbkniafyzmf24fyjyiooaboa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210512-hhflvrhrte/
Behaviour
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/dbe4ba4eb8c4d9617d4f285b869f217c2dd0854d400b8cb0bae1709c21ce005c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://1drv.ms/u/s!AiIsZsbRbvS0eKklzU_b_zX6SEU?e=8yFcYk
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/155464/

Comments