MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4171872384e62627b06976f6e513650087c00e8c42f70d6b9d29b54e18a8e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4171872384e62627b06976f6e513650087c00e8c42f70d6b9d29b54e18a8e6
SHA3-384 hash: fe0950820503a30ac3fca4c106914404a831c2a9f968be798bf9e7bbc4704cb5ac41cc4f39a12c09722d265e803d68f8
SHA1 hash: bdc733c1c239adc0d10b89e630862f6fe692c189
MD5 hash: 3ce1a9571feef80297bd3c7c33e53476
humanhash: eighteen-victor-louisiana-king
File name:SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886
Download: download sample
Signature Gozi
Create hunting rule
File size:3'441'152 bytes
First seen:2020-05-19 10:29:06 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4cf116229550a15d6e40c5e3e33565e8 (7 x Gozi)
ssdeep 98304:w3stBCO4uUbYDDhfV3y2YB88QWDyHtGDnfb11W0b2ZhLiUtKLjWU:wctB4UDS2R8JywrbT2ZfOW
Threatray 372 similar samples on MalwareBazaar
TLSH 13F58C017A81E025EAA91AB3CE68D5FD02157D54DF7490DB30D0BF8FBA7BAE69830711
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 10:35:51 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 48 (45.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
102968f9ac4e1516a33f4dd4235d8bfca3f2cf22839b64bea70597e9ab1cc60c
Gozi
1f5b47b9e255b731d6e019429e2b46ef1599fe64dcec7514c74184e9da62aef3
Gozi
361ecee960829c871e1535a6231f3985b2e0b373aecf4bd8d5fea67e1c1834ec
Gozi
4655c0216538f752dea2ce1649807d597cd83a935f1385bdd8f418616de97b68
Gozi
504eb3ba676729d316c8f6639ae45b0be030124e0c3007e9edade3b57b49e708
Gozi
6477f00ecf9e2396faf3ca69abf4d36050f653418fa6877c6f672ea08c4e95c9
Gozi
aa85267b21a04aa673ddde02c00feda1b10782b86eaad3ebbe5617a8ad787774
Gozi
c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095
Gozi
e1eabf537423c05f282eba3b0c5bc70931767c23fb9bb2a014999a73e7656e4a
Gozi
e5433fd6cca0e48363d7e1c022becdb8a495290aae3acccac838c2a723394528
Gozi
+ 362 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/201109-hasvbq7d1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Blacklisted process makes network request
ServiceHost packer
Danabot
Malware Config
C2 Extraction:
172.81.129.196
54.38.22.65
192.99.219.207
51.255.134.130
192.236.179.73
23.82.140.201
45.147.228.92
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments