MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef0d6ddb130fee72d17b1c077b332c474205897f806b16d2dd130768429b9add. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef0d6ddb130fee72d17b1c077b332c474205897f806b16d2dd130768429b9add
SHA3-384 hash: af6c0f5feb033dc7cac9ee9b554fc868a29b5808b8a7eea72b7a78644c9a6a70f3499c311f8b7c06886e9ce2a0ac36e2
SHA1 hash: ddce377ad535247072c3bcecfccab7003951f3f1
MD5 hash: 2f78792102a7c85c5cf25a3d7c11d36b
humanhash: steak-montana-north-enemy
File name:fv_022020.pdf.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:104'448 bytes
First seen:2020-03-17 17:49:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8aed997ff53e74f0117c2acfe1449da7 (1 x Gozi)
ssdeep 1536:L006ZYFTO+UXOX8RFNwW1E0gMPlQijovPQrLqHJmH6C0CzoUMf:L0V/XOX8RFNBFhPlQArLbH60Mf
Threatray 360 similar samples on MalwareBazaar
TLSH 25A3BE11B7F18132F2F3567419B4D2615A3FBCA35B78848F3A6402AA5FB16D28E74723
Reporter w3ndige
Tags:Dreambot exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'969
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Mikey-7591291-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-02-07 12:20:35 UTC
AV detection:
24 of 30 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=54gw3wytb7xhful3dqdxwmzmi5balcl7qbvrnuw5cmdwqqu3tloq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
22a8827e130acc160f37cb5f78da95221287b06b4e593efdfd0dd03283945e02
Gozi
3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26
Gozi
685d9e6eb627ace649965ef0549cec63d4b12e21bce641591fbe32ef6ca7350d
Gozi
8faef49d64b36052e6648a0426fb2f71af70d9b434be548841a4707fada2410a
Gozi
92531c1c46721abadcbc92de961a40f50940f1409c31d84cbc8129ce860968e3
Gozi
a6e6d01862c62f53c73f50d34e5209d51100244389a6fbc0f5863d59154582af
Gozi
aa0b542cfde007f858cd18f0b3a104ccaa6c401c26e908829aed144e13471f20
Gozi
c7a24df45e43686f1331c01a5c77ca492924482e29099e778fdee153e88d8363
Gozi
cff7986462a1035c053de4021e2a59ff8de076b7843137354f871084eaa60f9e
Gozi
eb55844a34109790b370caba8afbcafb1fd52d0575b7c031cf21a0ff74f7bbc1
Gozi
+ 350 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef0d6ddb130fee72d17b1c077b332c474205897f806b16d2dd130768429b9add

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::DestroyPrivateObjectSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAuditAccessAce
ADVAPI32.dll::GetPrivateObjectSecurity
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceA

Comments