MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6e897ad1b6e528be9e2caa9cb1ad48d451b354681636e160cc4e9c7a0c6ab43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6e897ad1b6e528be9e2caa9cb1ad48d451b354681636e160cc4e9c7a0c6ab43
SHA3-384 hash: 776fae4b5ab8cefadf5b3086468f956d4b4da86acdcaf5400e0314aba085bc0d4b3ace53c378c063f84fa96b10de7f36
SHA1 hash: 2d6bab82f9a8aab080ddbec308aba6bd3da7b4d9
MD5 hash: f947d58595fc0567fb9bfa3c7f609ebc
humanhash: mexico-timing-quiet-item
File name:iec56w4ibovnb4wc.onion_Library__GoziGroup__vCfjTmdR.exe_.exe.malw
Download: download sample
Signature Gozi
Create hunting rule
File size:386'528 bytes
First seen:2020-03-18 22:12:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ebe507123723800973958e5f7d66d026 (1 x Gozi)
ssdeep 3072:jiJoy9vwunnC2SKbBGgyz+Y3VaETK0/SryFoWiYc+/vcbef50JUaRKV/1aDVnILK:jiJoKounYKlGg8+mpbs
Threatray 680 similar samples on MalwareBazaar
TLSH AF846A81E14CA8E8D41B117E9C3EF911181A7F8D44B9D5093A7E7F1A7FF338225A6D0A
Reporter ov3rflow1
Tags:Gozi malw

Code Signing Certificate

Organisation:Certum EV TSA SHA2
Issuer:Certum Trusted Network CA
Algorithm:sha256WithRSAEncryption
Valid from:Mar 8 13:10:43 2016 GMT
Valid to:May 30 13:10:43 2027 GMT
Serial number: FE67E4F15A24E3C60D547CA020C27670
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: D9CAABC3225B7030CDB83E3846E3691C14ED790B1764CE1B4F043157899C5C58
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Gozi.315.28727.13968.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agentb
Create hunting rule
Status:
Malicious
First seen:
2018-07-25 14:57:43 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
dridex
Create hunting rule
emotet
Create hunting rule
Similar samples:
1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44
Gozi
278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
Gozi
35dc29c0132f1684fc8ed518f98d959bd982ef058b3ba24d8a23ea1507452621
Gozi
3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
Gozi
42433b509118c66781f3fbc95e1ea506d71260171c9462a085ff515619f1ca81
Gozi
89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5
Gozi
99146cd4d31df0f8f76aab7a7f78992140ead8d7ff847b9c56707335d81d96e4
Gozi
bc6a7b0e544aade9fc2a48c08ad4aaebd3743396d120f86d9d81b3c8757d9888
Gozi
cc20b331f9b2b1ab79cf8e3570ee00d39a22c2f6029097d3c78c4e8903a391b1
Gozi
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
Gozi
+ 670 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6e897ad1b6e528be9e2caa9cb1ad48d451b354681636e160cc4e9c7a0c6ab43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/95558/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject

Comments