MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef
SHA3-384 hash: f9e7db50a293c7895357606e9ecd6de1f4ae352d819ac95fcdbbff04f974089ce2281077866ef8424220312eee1821de
SHA1 hash: b0b56ddcab8ef3b26e44e8876780aa55bca73215
MD5 hash: 0e12ea4aa2ad456ee70441a21d882de2
humanhash: march-kitten-may-harry
File name:0e12ea4a_by_Libranalysis
Download: download sample
Signature Gozi
Create hunting rule
File size:208'952 bytes
First seen:2021-05-19 11:01:10 UTC
Last seen:2021-05-19 13:40:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c445e8be0a86077ffeaafdab8d11f27f (1 x Gozi)
ssdeep 3072:13xS9mnnSGcXNxyPLXVF07xLkvDwiu34oPst+yqj917IcKYZgmsEJE8uFAuJ/18y:hvnMXCDwd9ye91H3Z75DuFAm/1x2o
Threatray 253 similar samples on MalwareBazaar
TLSH FE14AFDD120465BAE04D483298C79BF74E9C7C615EE0979622E33E1A7C3D7A47C1F28A
Reporter Libranalysis
Tags:Gozi signed

Code Signing Certificate

Organisation:TrustPort
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-04-09T00:00:00Z
Valid to:2011-04-09T23:59:59Z
Serial number: 040f11f124a73bdecc41259845a8a773
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5a5cc633a63281c09bf2650aa765c306ae4a93f6abe4eb4eba4f779e9d5450f7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e12ea4a_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-19 11:22:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/628b41d1-7fb6-4704-b3b8-17d2a826861b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158537/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/784856
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 417254 Sample: 0e12ea4a_by_Libranalysis.dll Startdate: 19/05/2021 Architecture: WINDOWS Score: 88 33 linolleum.com 2->33 35 linolleum.bar 2->35 37 3 other IPs or domains 2->37 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected  Ursnif 2->53 55 2 other signatures 2->55 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 59 Writes or reads registry keys via WMI 8->59 61 Writes registry values via WMI 8->61 11 regsvr32.exe 6 8->11         started        15 cmd.exe 1 8->15         started        17 iexplore.exe 129 8->17         started        19 18 other processes 8->19 process6 dnsIp7 45 infomeetc.co 195.110.59.2, 443, 49770, 49771 AS-HOSTINGERLT Lithuania 11->45 47 linolleum.com 11->47 63 System process connects to network (likely due to code injection or exploit) 11->63 65 Writes or reads registry keys via WMI 11->65 67 Writes registry values via WMI 11->67 21 rundll32.exe 15->21         started        24 iexplore.exe 17->24         started        27 iexplore.exe 17->27         started        29 iexplore.exe 17->29         started        31 iexplore.exe 17->31         started        signatures8 process9 dnsIp10 57 Writes registry values via WMI 21->57 39 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49746, 49747 YAHOO-DEBDE United Kingdom 24->39 41 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49740, 49741 FASTLYUS United States 24->41 43 10 other IPs or domains 24->43 signatures11
Gathering data
Threat name:
DOS.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 11:01:22 UTC
File Type:
PE (Dll)
Extracted files:
61
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
+ 243 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7408 banker trojan
Link:
https://tria.ge/reports/210519-djd7j9jve2/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
signin.microsoft.com
linolleum.com
linolleum.bar
infomeetc.co
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eea88dde6db60a47f8739970d92b729194d2cd6a6d25644a0f26590c2e7097ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_040f11f124a73bdecc41259845a8a773
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158537/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 12:06:38 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [F0002.002] Collection::Polling
2) [C0019] Data Micro-objective::Check String
3) [C0046] File System Micro-objective::Create Directory
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0050] File System Micro-objective::Set File Attributes
6) [C0007] Memory Micro-objective::Allocate Memory