MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea
SHA3-384 hash:	8c43f078292052b98faa58abce4179d33f92d78b8e1d62ca5cf6ebd87307ac3d6ab09215177f0d0b57e3b5032f20a726
SHA1 hash:	297b3aac174cf4a4730725e817171ab329265c29
MD5 hash:	4fe6296c8b2154cf5f562aabafd9c5fb
humanhash:	wolfram-paris-fourteen-fifteen
File name:	f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea
Download:	download sample
Signature	Gozi Create hunting rule
File size:	280'576 bytes
First seen:	2022-03-21 08:14:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	beef0e239bafb748de7fe31ae987ee1f (1 x Smoke Loader, 1 x Stop, 1 x Gozi)
ssdeep	3072:3m8DHLcAjOoM49GGuk5rM1NGnwxrPd5g3M/h3VK48r:NDHLcAy+BvwlI3oK48r
Threatray	5'955 similar samples on MalwareBazaar
TLSH	T1B854AF313691E833C0561530882ACFA35A6EB83159B1D60777A43B6D6F323C29F6A35F
File icon (PE):
dhash icon	327e7c7d727e6e66 (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253356/

Detection(s):

Win.Dropper.Stop-9938042-0

Win.Dropper.LokiBot-9941258-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a window

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10043/overview

Behaviour

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/62383411b94fb38cb4c15633/reports/37f4a035-72bd-428e-8ba2-d982f02f8d39/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b360df31-4136-453b-91c9-0bb8fec042a1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2022-03-09 03:05:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 42 (88.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6hmjafr7naorzfbtpzsftoocgmma5ptvl2kasuyv66wpafy6d3va._file

Verdict:

malicious

Label(s):

gozi

Gozi

1c6632f98426b86189fde78f0f529fe42eeb2653412b0003090ae6a42c91d268

Gozi

4bd004047533752383486ead4f6ce67459d38f816d63d110744f0df009b2d022

Gozi

81dd784ad8e4a6924b1b0ee5ebf09d3018e3bda4225f3c89439e8846cf5e09d9

Gozi

efd04e8f37b1a511e4c723356220d4c07a27a8e8b5a370ea7a7a6b8a5d98ea6b

Gozi

+ 5'945 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:7622 banker suricata trojan

Link:

https://tria.ge/reports/220321-j5mcrsafck/

Behaviour

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

Malware Config

C2 Extraction:

botanlink.top
linkspremium.ru
premiumlists.ru

Unpacked files

SH256 hash:

3741ce477a577747dcd6da7a71ae3b5bbe48019b18fb84d2d1aeee0002d9d2d1

MD5 hash:

657b770929aecf3218bb2b9cc801b666

SHA1 hash:

d16f8f83e71a93a061ae4ff3b5e5158959483c60

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/12cccc5e-823e-43c9-9d68-6cba2b787441/

Parent samples :

efd04e8f37b1a511e4c723356220d4c07a27a8e8b5a370ea7a7a6b8a5d98ea6b
9eb0bdb45d505a24290b3fe9adb1ac5c856238e91358fcf7e6af73d9a1b9c244
da620c65032d49a148b428dab566fed2a1a9af6fb0f53ffc4ea75ae54a2cd6a9
1c6632f98426b86189fde78f0f529fe42eeb2653412b0003090ae6a42c91d268
4bd004047533752383486ead4f6ce67459d38f816d63d110744f0df009b2d022
57d9f65f62b63e02b194c97d66d478f70a75df94abc134d45e02539cbb33d961
14e041ad11be886018e643ed1cff9abe512e787bec794ab585e75f91e2da119e
02f23031b04660ce5d0a3dbd6862640895e37c649963c02d0b367a17d8422ffe
bc2bd3c448b2348629da59a454f409ad5b60f2eb21f175e7e49dd04b2703c0ea
f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea
eda3487d5cce3777e504ae88f362c2352de1642fa86200e005ba5a7a3bfbdec0
50ed0329ffb7ae83f7a8042ef7f6bd5af5f308e52f479965358cfe4d646b1847

SH256 hash:

cba3ec7d0bc169ca0ce4a53d8d2ee753354991867fc0264a93639300e4f6f333

MD5 hash:

e7f49957d916e15bf8449f566e9eda8c

SHA1 hash:

391c87ab0dbcc802a8f8d727380caa4c8e9bc781

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/12cccc5e-823e-43c9-9d68-6cba2b787441/

Parent samples :

SH256 hash:

f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

MD5 hash:

4fe6296c8b2154cf5f562aabafd9c5fb

SHA1 hash:

297b3aac174cf4a4730725e817171ab329265c29

Link:

https://www.unpac.me/results/12cccc5e-823e-43c9-9d68-6cba2b787441/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.