MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
SHA3-384 hash: de166deff2610d7ae56c48944265888da658d7caa7e6433693d76a3eb363bf920257cd005cd3bd83110cfe0e6a140a7a
SHA1 hash: b0f465a36e86e11ce00756e7e81b679bd9f98c29
MD5 hash: 4f74df55ff11ae52b59a5ae086593347
humanhash: november-mars-ceiling-burger
File name:lfahe1.cab
Download: download sample
Signature Gozi
Create hunting rule
File size:535'552 bytes
First seen:2020-05-28 12:20:23 UTC
Last seen:2020-05-28 12:58:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash eedba6c798d77dcccfec1ed86c2501a3 (1 x Gozi)
ssdeep 12288:HJ9Q59mktu69ZSLxRb1OHddihFDTg0mXMaCsbeUWzHbFMmsih0ghD:vTr2dihFDTg0mXMaCsbezzbkyh
Threatray 636 similar samples on MalwareBazaar
TLSH 25B4BE1136C1C036E67F22364925DAB5056FBC644EF01AEF37E45F6F1F3AA818621B62
Reporter abuse_ch
Tags:dll geo Gozi USA Valak


Avatar
abuse_ch
Valak payload URLs:
http://nrs2wjke0t2vz9.com/alfh/xzrn.php?l=lfahe1.cab
http://j5sfioue15kxqs.com/alfh/xzrn.php?l=lfahe6.cab
http://ft23fpcu5yabw2.com/alfh/xzrn.php?l=lfahe9.cab

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'849
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 12:36:53 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
14 of 31 (45.16%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00a8e89cdd91a236a1e462ee34e090807a52af43cb41509b84685a06b40f3a5e
Gozi
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
Gozi
5c9b22633bb9c7f20fcd928e0093ac5debd1dabd7f42daa479725b5f2db38e91
Gozi
866e522886833782a25f4c9cdb823a29f3a4d1e8b26eef03ed271af7b991eae5
Gozi
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
Gozi
89ba115fae17f47a9f69c535d1b79510d8123e80207495b5380b1b8b1f66c814
Gozi
8bcd0f6cb2c259f22ade6de07f926c2e1512948af545e7a33fd27f784ef12bfd
Gozi
9d46a97f288bd037918b0ba5c374ed392388d7f6de7e93f2289d44c70982b5ce
Gozi
9e3a497a827876ab6b91eb532b3706f9ba4c0c22c86c9c049f21bb5add78bc36
Gozi
eccca8a3f4c7a1ec13665137759fe722aceef7a1688f92c8a4c7796f6d85237f
Gozi
+ 626 additional samples on MalwareBazaar
Result
Malware family:
valak
Create hunting rule
Score:
  10/10
Tags:
family:valak Loader
Link:
https://tria.ge/reports/201109-4ry1jth3zn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
JavaScript code in executable
ServiceHost packer
Valak
Valak JavaScript Loader
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3

(this sample)

  
X
https://twitter.com/p5yb34m/status/1265749526909870080
  
URLhaus
https://urlhaus.abuse.ch/url/371039/
  
URLhaus
https://urlhaus.abuse.ch/url/371040/
  
URLhaus
https://urlhaus.abuse.ch/url/370128/
  
Delivery method
Distributed via web download

Comments