MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec33d59365a0a4cbc9eca3feeb9007c5590e5ead81c6a8f0c9967a8e93ba5fe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec33d59365a0a4cbc9eca3feeb9007c5590e5ead81c6a8f0c9967a8e93ba5fe2
SHA3-384 hash: 3abfc61374588b816e8d93540a45d29230b213b455ec323dc13fc26bcb7daf7557fbd6d23f2afdf05794d232ca17836a
SHA1 hash: 00667af154f422b28af1bf28a62d6ed186186b04
MD5 hash: e39b6ba95134fed2ce020e34fce39c38
humanhash: diet-september-robin-enemy
File name:64jdustas73sgsf.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:245'447 bytes
First seen:2020-07-09 14:39:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 064a32af63c8cccb6bf8c0f8687c002e (2 x Gozi)
ssdeep 1536:bB40PEgE1RMPC39kZSIaIO9D8PiBXl/v/v/v/PZfeBH9MFCvJgZP1au0w7YwbiPe:bpPEdnM1SI8D/GBREPguL7RmrK
Threatray 635 similar samples on MalwareBazaar
TLSH F234D90474E75F03ECEB0CB604D291B442ABED815B3EE847B792B57589733F14A9CA29
Reporter JAMESWT_WT
Tags:Gozi

Code Signing Certificate

Organisation:DNS KOMPLEKT
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jun 8 00:00:00 2020 GMT
Valid to:Jun 8 23:59:59 2021 GMT
Serial number: E3C7CC0950152E9CEEAD4304D01F6C89
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 82975E3E21E8FD37BB723DE6FDB6E18DF9D0E55F0067CC77DD571A52025C6724
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23932/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34134008.17513.30702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a window
Searching for the window
DNS request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec33d59365a0a4cbc9eca3feeb9007c5590e5ead81c6a8f0c9967a8e93ba5fe2/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 14:40:08 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0420f115272506def9983a6505933ca05d57530a47ae230d956d5f614f96a947
Gozi
15ade7bdc134a60f35b87cc7b9466cc2642ec1bd39e9811a084c17ed1eab890e
Gozi
22fd2e8b0e5f77dc6ee8c434efed1df15742f0deb6940b3fa714893cde3c2980
Gozi
23886b6f4a8e361711392340cf4115ea310d69b17c5b1abeca4523d8f28585e0
Gozi
374dbd8d269730e0815f7d1f7ac4ca31709b6346d198b9d615218354ee323ef2
Gozi
5208d85239499375d151e2e9bcad3088bad8f96debf2d2c4e468670eac776c4f
Gozi
b6815b7c6bd39d114da295e839d472997b073db3d57429aadad20bb73c7b47c2
Gozi
c627841bdb4c88c478e294b12c5dbc4bc9ab35667fe0595966cdc9c9cf64c242
Gozi
c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa
Gozi
fea27a041a45b4f5fd5fb49c50f0dd538e3fc2448374a2cde475204fc7cdd454
Gozi
+ 625 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200709-a5gsv5s3e6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks whether UAC is enabled
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks whether UAC is enabled
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://2raweggs.com/strogau/fgastromae.php
Cape
Cape
https://www.capesandbox.com/analysis/23932/

Comments