MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
SHA3-384 hash:	542620b17801e4228d45b60dbe00aa632a9eddce11c171021a446c8fcbf920804dd63b3d32169baba36c63a716c1c5d2
SHA1 hash:	5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
MD5 hash:	5572213d17be7de71f36fa68eb6808a8
humanhash:	london-kilo-angel-grey
File name:	62835e34e60c1.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	442'368 bytes
First seen:	2022-05-17 08:35:48 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	a2b7486f7219709bc441af397fbc35ab (2 x Gozi)
ssdeep	6144:oE1iktxgcV9yjYJrTOkRLookGIw8OaDSOKdPmo6iJTk/DmpFkbakc+abuFGGGGGD:oE44xgcV9yjY1OkEGx/V72/DmSH6/
Threatray	677 similar samples on MalwareBazaar
TLSH	T13894E00965216A6EC9DC273DC9E5D31B1DA2B75CD23E70BE3CF43C9F7AE5125820428A
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter	JAMESWT_WT
Tags:	DHL dll Gozi isfb italy Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

801

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271412/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62835e8589139be21fdd146b/reports/39fd3690-9552-46a1-8f31-6dbd802e2cf3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9bf7a82-a3de-4435-844e-87f7a257478f

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-05-17 08:36:07 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6whzzdtkmird56rghwqqquhbraaei4olfptfezfx7epsp25la5ta._file

Verdict:

malicious

Label(s):

gozi

Gozi

22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483

Gozi

315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6

Gozi

3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6

Gozi

5298257931fb4fcb64bd0e0ba48a2f1f4f1b501813b27d2aabd82056a4feb957

Gozi

9c2a2b8d88ab02d37e21c9b97f10b26543daedf353ce76c17b445688b0a041d6

Gozi

a7e43f89844a769fd9607d78151ebcfac02f58412f7800701b9978e11c82656c

Gozi

+ 667 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:3000 banker trojan

Link:

https://tria.ge/reports/220517-khkfbscbbl/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

config.edge.skype.com
185.189.151.28
185.189.151.70

Unpacked files

SH256 hash:

8bc96b65bcff25c71338a36aa29ab9eb8ca59afc7ab0e6942b199e7c7fa1ad96

MD5 hash:

fa78697c92e01fb5a939e9b230adf195

SHA1 hash:

feea5e4728271e16f7b9060a79e7445cd4a90b7e

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/e16dfec6-a89c-4bd6-bea2-831503789e99/

Parent samples :

f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d

SH256 hash:

04ad521a0dc453da7e46da119b1db4e3b7fec9cfded3c04d2fe4a0cc406ae0ab

MD5 hash:

8ec0d82736d752af0beb3bff8772fa9f

SHA1 hash:

adffe30d9698eb71f3aca5dc0640a821d4c34e01

Link:

https://www.unpac.me/results/e16dfec6-a89c-4bd6-bea2-831503789e99/

SH256 hash:

f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766

MD5 hash:

5572213d17be7de71f36fa68eb6808a8

SHA1 hash:

5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e

Link:

https://www.unpac.me/results/e16dfec6-a89c-4bd6-bea2-831503789e99/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/271412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample