MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711
SHA3-384 hash:	cc4ced16687d1a5e58f56ea7ae46adea617f8e3f69d1d7b8131241c4916cc557954968868e49db65e706aaebca341d27
SHA1 hash:	a0297ed108f534539bda64c7c0df0caefc18ec09
MD5 hash:	76ebba129360ad5093f0fe66910eb06d
humanhash:	michigan-burger-bravo-west
File name:	sadf.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	37'888 bytes
First seen:	2022-10-06 10:19:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1640d668d1471f340cbe565fe63522f6 (15 x Gozi)
ssdeep	768:LQLm41fM01vA4yRzFiCRn7IYbo7gMaBMOF6c629ptoj:LL41fMSv1AnRnFLMaMOF6c6YK
Threatray	849 similar samples on MalwareBazaar
TLSH	T1C203E0137B642D3EF6C305393E12E20147990175873FE1EA07B3642D9922EDB55AF786
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317245/

Detection(s):

SecuriteInfo.com.Variant.Zusy.387325.24659.27418.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41511/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gozi packed ursnif zusy

Link:

https://www.filescan.io/uploads/633eabd3c9e2f3435432eb30/reports/583d30e0-e4fc-4442-b32c-a3f75df91067/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a25723d6-7428-47f2-af7d-c372e2101681

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1084819

Signature

Antivirus / Scanner detection for submitted sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711/

Threat name:

Win32.Infostealer.Gozi

Status:

Malicious

First seen:

2022-10-02 01:01:08 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7a4iqr7l3w6ay3nuh3pa52bz7iye7rdynvfhzauf5n2guwro44iq._file

Verdict:

malicious

Label(s):

gozi

Gozi

61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be

Gozi

64a6b3f1924ebcd8d162482001721ee6459e23811055b6d9d79c8db2d7af327f

Gozi

72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8

Gozi

893ba03135a5e8e53d4413ae269f85cab2dd56b451bd99cc233064df402d3f84

Gozi

8a7f259ecd7479314c5bd6e449a7b77f76173d4e636075f99a0b8eb765d3573a

Gozi

c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9

Gozi

+ 839 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:200000 banker trojan

Link:

https://tria.ge/reports/221006-mc32lahcfl/

Behaviour

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

trackingg-protectioon.cdn1.mozilla.net
45.8.158.104
188.127.224.114
weiqeqwns.com
wdeiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7b04db12-ce61-4051-9970-55aef588e282

Unpacked files

SH256 hash:

a3e48fcff77ef8504648c565dae10038d5a19c2a58f4926fa637feb52eb9ad0c

MD5 hash:

2c08faf0583b48c179fd2a1a600892f5

SHA1 hash:

a6e198282a28459a2a67baa37404f71d42a43dd9

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/67f78f26-f20f-4a0f-b820-1d160786f3f0/

SH256 hash:

f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711

MD5 hash:

76ebba129360ad5093f0fe66910eb06d

SHA1 hash:

a0297ed108f534539bda64c7c0df0caefc18ec09

Link:

https://www.unpac.me/results/67f78f26-f20f-4a0f-b820-1d160786f3f0/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f8388847ebdd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ursnif3

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/317245/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample