MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3
SHA3-384 hash:	ef6a189e2322bf7307941302acdb9a54227db529592463faea41750d9107cc18053caa7de4592a597e79eea536a50d44
SHA1 hash:	7dd349b8664ec7dbe769da64e1b324ae091a29e2
MD5 hash:	1d8a445bef0c0d4a7ec519f06c23224a
humanhash:	single-skylark-pennsylvania-network
File name:	d2ef5.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	37'888 bytes
First seen:	2022-10-26 06:26:26 UTC
Last seen:	2022-10-26 07:25:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1640d668d1471f340cbe565fe63522f6 (15 x Gozi)
ssdeep	768:tQLm41fM01vAeyRTwFiCRn7IYbo7gMaBMOF6c629pto:tL41fMSv7ASRnFLMaMOF6c6Y
Threatray	261 similar samples on MalwareBazaar
TLSH	T16E03E1276AA42D7DFAC345353A21F24207990271833ED5D607B3B47E8523ADF511F792
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	1ZRR4H
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d2ef5.exe

Verdict:

Malicious activity

Analysis date:

2022-10-26 06:28:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/28ff4014-d9a2-4f47-b92b-4db22d0854e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/324218/

Detection(s):

SecuriteInfo.com.Trojan.Gozi.890.12117.6517.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/45557/overview

Behaviour

MalwareBazaar

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41caac68-2657-48a6-8a90-5a76040ab059

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1098081

Signature

Antivirus / Scanner detection for submitted sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3/

Threat name:

Win32.Infostealer.Gozi

Status:

Malicious

First seen:

2022-10-17 12:45:00 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ad4i25hzvj362ia2gupgk5lvgqrqqieqp5kndkrwiz5444eqprq._file

Verdict:

malicious

Label(s):

gozi

Gozi

7ca57c7d182c4c00ae2c86e0e2055734d6b6421a7c419b5bb9c69869b8dbec64

Gozi

8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de

Gozi

c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9

Gozi

e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869

Gozi

ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d

Gozi

f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711

Gozi

+ 251 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:10103 banker trojan

Link:

https://tria.ge/reports/221026-g7rn6aehc4/

Behaviour

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

trackingg-protectioon.cdn1.mozilla.net
siwdmfkshsgw.com
188.127.224.114
weiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com
ijduwhsbvk.com

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/71c4dedb-0fe7-4493-85d8-41e4bfda867f

Unpacked files

SH256 hash:

ec57d48f9a8f736a40382e30903debbbe0e077fdc4796a5d15b751fb4afa4ca0

MD5 hash:

2bff375e136582e27baf83074b8e2e33

SHA1 hash:

0feb0aeed9b58da0767568424aa6659f520d73ef

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/09d9f739-ee82-41e0-abef-dd89afc3b784/

SH256 hash:

e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3

MD5 hash:

1d8a445bef0c0d4a7ec519f06c23224a

SHA1 hash:

7dd349b8664ec7dbe769da64e1b324ae091a29e2

Link:

https://www.unpac.me/results/09d9f739-ee82-41e0-abef-dd89afc3b784/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e807c46ba7cd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/324218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample