MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
SHA3-384 hash: 89eed6b7f1357b8c1cff8ddda299aa0ba4bb785d1362c51b586e5ca9d7570e19843562683877b07edf0c88233c72b8ae
SHA1 hash: 9c68ffba054067f51fbb172bc00d835e0014a073
MD5 hash: defe731e1ca1092c08e5edd84404ed21
humanhash: mars-montana-white-april
File name:XqBTvE.ntwgj
Download: download sample
Signature Gozi
Create hunting rule
File size:258'103 bytes
First seen:2022-03-15 10:23:52 UTC
Last seen:2022-03-15 12:21:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4715cf6be93a0d532bbd0073142431e (3 x Gozi, 2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 3072:BwsrrHgB98BRdFfHsN+DBZqGZvTx5kQ4e2B0:iqHgEBRjZqGZ7wVRK
Threatray 12'450 similar samples on MalwareBazaar
TLSH T11644CF213660C837F55326311924CB725B7A78316AA5C34B7BA81F3A4F313D0AA3E3D6
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter madjack_red
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250687/
Detection(s):
SecuriteInfo.com.Variant.Mikey.135294.29741.27346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9263/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed
Link:
https://www.filescan.io/uploads/623069480cd58dbd929dc8ff/reports/588e60cc-0389-4338-82d1-85e97d77bc16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82b9bf8a-47d3-42fe-971b-6b3af34c6656
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956892
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Encoded FromBase64String
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589372 Sample: XqBTvE.ntwgj Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 13 other signatures 2->83 11 XqBTvE.exe 1 2->11         started        14 iexplore.exe 3 108 2->14         started        process3 dnsIp4 95 Detected unpacking (changes PE section rights) 11->95 97 Detected unpacking (overwrites its own PE header) 11->97 99 Injects code into the Windows Explorer (explorer.exe) 11->99 101 4 other signatures 11->101 17 cmd.exe 1 11->17         started        20 explorer.exe 11->20 injected 71 192.168.2.1 unknown unknown 14->71 23 iexplore.exe 30 14->23         started        25 iexplore.exe 27 14->25         started        27 iexplore.exe 27 14->27         started        29 iexplore.exe 27 14->29         started        signatures5 process6 dnsIp7 73 Encrypted powershell cmdline option found 17->73 31 forfiles.exe 1 17->31         started        33 conhost.exe 17->33         started        63 193.189.100.205, 49839, 49846, 49850 VALORKIEV-ASKharkovUkraineUA Sweden 20->63 65 82.221.131.5, 80 THORDC-ASIS Iceland 20->65 69 4 other IPs or domains 20->69 75 System process connects to network (likely due to code injection or exploit) 20->75 67 gogojoob.xyz 194.104.136.213, 443, 49763, 49764 SMEERBOEL-ASSMEERBOELBVNL Netherlands 23->67 signatures8 process9 process10 35 cmd.exe 1 31->35         started        38 conhost.exe 31->38         started        signatures11 85 Encrypted powershell cmdline option found 35->85 40 powershell.exe 31 35->40         started        process12 file13 57 C:\Users\user\AppData\Local\...\4u5hkhzz.0.cs, C++ 40->57 dropped 87 Encrypted powershell cmdline option found 40->87 89 Injects code into the Windows Explorer (explorer.exe) 40->89 91 Sets debug register (to hijack the execution of another thread) 40->91 93 3 other signatures 40->93 44 csc.exe 40->44         started        47 csc.exe 40->47         started        49 powershell.exe 40->49         started        51 powershell.exe 40->51         started        signatures14 process15 file16 59 C:\Users\user\AppData\Local\...\wjzvcca3.dll, PE32 44->59 dropped 53 cvtres.exe 44->53         started        61 C:\Users\user\AppData\Local\...\4u5hkhzz.dll, PE32 47->61 dropped 55 cvtres.exe 47->55         started        process17
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 10:24:12 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5iipfav6dbsmz7raj7f2nh7kdmlsee5f3qiu55dmmknb5kmmrqsa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07de0324fd15b8dab3b0c9e4345a2ecc0d2bc0c806f6702cda99e480e9d6506c
Gozi
32e30f494b7bb01ab18836029193c2a79fb63795f978eeed31103f368c6d8fba
Gozi
4934962518447fe675fc3e72322d7e8eb1521bddcd45eae280f98d0b4d138c01
Gozi
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Gozi
5521400dffe660536524b06e28edc0805136092457722f3e1246a8749a0a7471
Gozi
74e82ea63f25fdb065ab8d4df1d69f9a22d1c1a76edf609f2f22d5080411fe4c
Gozi
9f3805a821c12122b67395c50e390d35c70e83d5b82a6e5741e56c0087960a60
Gozi
a8e2a996c913eb390bd0074d461a97156ad7395ae5ca856c2a6e6c14be534e2d
Gozi
d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30
Gozi
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
Gozi
+ 12'440 additional samples on MalwareBazaar
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 banker trojan
Link:
https://tria.ge/reports/220315-mfdacacaak/
Behaviour
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Uses Tor communications
Gozi RM3
Unpacked files
SH256 hash:
61170bc10fbf919c54920e0e16915332fcdea35807c73bc63a8fc027caa1b1e6
MD5 hash:
67788165e578ca91ad4cd46dfd8e567e
SHA1 hash:
008d5f76ce37ae4774089fbc611f464cd720d2b0
Link:
https://www.unpac.me/results/47b73ef2-760e-4526-a8b1-bc1634b4e203/
SH256 hash:
ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
MD5 hash:
defe731e1ca1092c08e5edd84404ed21
SHA1 hash:
9c68ffba054067f51fbb172bc00d835e0014a073
Link:
https://www.unpac.me/results/47b73ef2-760e-4526-a8b1-bc1634b4e203/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ea10f282be18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250687/

Comments