MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176
SHA3-384 hash: 6a95d189a072cb9ff4d25177bc9c24b4971149f39e0b240534fad718e1b37c8a45963e84c2310bfbc0af33dbc3c58655
SHA1 hash: 83dbf1b2cc980b6f6f1075501d620bca1c8a476f
MD5 hash: de33661828b4e6913ea31238f3261c8f
humanhash: whiskey-alabama-arkansas-july
File name:file
Download: download sample
Signature Gozi
Create hunting rule
File size:105'592 bytes
First seen:2022-11-21 19:29:23 UTC
Last seen:2023-08-24 16:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'844 x AgentTesla, 19'775 x Formbook, 12'298 x SnakeKeylogger)
ssdeep 1536:qb+hj/vfw502HMrrn09OjGZG4gQ2++QzBunu9PQofO52HjzwVclJVtbkPxLF+:qb+lSDM0AyZbll9OKzqYJVtoxx+
Threatray 3'522 similar samples on MalwareBazaar
TLSH T1D4A3D057075C45F9F35A0731B4E12E863E31EE9E497AEAED719F700AAF313522A23016
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET exe Gozi MSIL signed

Code Signing Certificate

Organisation:LIMESTONE DIGITAL LIMITED
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-12T16:50:16Z
Valid to:2023-10-12T16:48:39Z
Serial number: 4d2dc3c461ff097059bc7440dac6207b
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d64f03f1738a5fb5b1c02ae09bdfe0d95101530eb356cbfb323afd7c0793502a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Open.exe
Verdict:
Malicious activity
Analysis date:
2022-11-19 01:13:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/891587e9-edb7-4491-aff5-2dde50b14735

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336926/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.5278.540.9434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Creating a file
Moving a recently created file
Creating a file in the Windows subdirectories
Launching a service
Modifying a system file
Moving a system file
Replacing system executable files
Creating a file in the system32 directory
Moving a file to the %temp% directory
Running batch commands
Possible injection to a system process
Setting a single autorun event
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/637bd1bcfe7e1beee2419696/reports/d23de8a5-ac9a-4d84-9af5-1f9515d2cca2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/737c3bcc-9c6a-4b5d-a18d-4e99befd20b7
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
phis.evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1118442
Signature
Modifies Chrome's extension installation force list
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751154 Sample: file.exe Startdate: 21/11/2022 Architecture: WINDOWS Score: 32 152 Multi AV Scanner detection for submitted file 2->152 14 file.exe 17 5 2->14         started        18 InstallExtension.exe 2->18         started        20 msiexec.exe 2->20         started        22 VC_redist.x64.exe 2->22         started        process3 dnsIp4 150 downloads.miami 188.114.96.3, 443, 49701, 49702 CLOUDFLARENETUS European Union 14->150 122 C:\Users\user\AppData\Local\Temp\test.exe, PE32 14->122 dropped 124 C:\Users\user\AppData\Local\...\file.exe.log, CSV 14->124 dropped 24 test.exe 2 14->24         started        28 cmd.exe 18->28         started        126 C:\Windows\System32\vcruntime140_1.dll, PE32+ 20->126 dropped 128 C:\Windows\System32\vcruntime140.dll, PE32+ 20->128 dropped 130 C:\Windows\System32\vcomp140.dll, PE32+ 20->130 dropped 132 45 other files (none is malicious) 20->132 dropped 30 VC_redist.x64.exe 22->30         started        file5 process6 file7 108 C:\Users\user\AppData\Local\Temp\...\test.tmp, PE32 24->108 dropped 160 Obfuscated command line found 24->160 32 test.tmp 3 13 24->32         started        162 Uses cmd line tools excessively to alter registry or file data 28->162 35 reg.exe 28->35         started        38 chrome.exe 28->38         started        40 conhost.exe 28->40         started        44 12 other processes 28->44 42 VC_redist.x64.exe 30->42         started        signatures8 process9 file10 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->94 dropped 46 test.exe 2 32->46         started        154 Modifies Chrome's extension installation force list 35->154 50 chrome.exe 38->50         started        96 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 42->96 dropped 53 VC_redist.x64.exe 42->53         started        signatures11 process12 dnsIp13 120 C:\Users\user\AppData\Local\Temp\...\test.tmp, PE32 46->120 dropped 166 Obfuscated command line found 46->166 55 test.tmp 5 33 46->55         started        134 www3.l.google.com 216.58.215.238, 443, 49741 GOOGLEUS United States 50->134 136 clients2.google.com 50->136 138 3 other IPs or domains 50->138 file14 signatures15 process16 file17 100 C:\Users\user\AppData\Local\...\is-1UHB1.tmp, PE32+ 55->100 dropped 102 C:\Users\user\...\InstallExtension.exe (copy), PE32+ 55->102 dropped 104 C:\Users\user\AppData\Local\...\is-VO2P7.tmp, PE32 55->104 dropped 106 2 other files (none is malicious) 55->106 dropped 58 InstallExtension.exe 55->58         started        61 chrome.exe 55->61         started        65 VC_redist.x64.exe 3 55->65         started        67 cmd.exe 55->67         started        process18 dnsIp19 110 C:\Users\user\AppData\Local\...\reg.xml, XML 58->110 dropped 69 cmd.exe 58->69         started        146 192.168.2.1 unknown unknown 61->146 148 239.255.255.250 unknown Reserved 61->148 164 Uses cmd line tools excessively to alter registry or file data 61->164 72 chrome.exe 61->72         started        112 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 65->112 dropped 75 VC_redist.x64.exe 71 65->75         started        78 conhost.exe 67->78         started        80 schtasks.exe 67->80         started        file20 signatures21 process22 dnsIp23 156 Uses cmd line tools excessively to alter registry or file data 69->156 158 Uses schtasks.exe or at.exe to add and modify task schedules 69->158 82 conhost.exe 69->82         started        84 schtasks.exe 69->84         started        140 e.dtscout.com 158.69.139.225, 443, 49712 OVHFR Canada 72->140 142 s4.histats.com 158.69.248.123, 443, 49709, 49710 OVHFR Canada 72->142 144 13 other IPs or domains 72->144 114 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 75->114 dropped 116 C:\Windows\Temp\...\wixstdba.dll, PE32 75->116 dropped 86 VC_redist.x64.exe 75->86         started        file24 signatures25 process26 file27 98 C:\ProgramData\...\VC_redist.x64.exe, PE32 86->98 dropped 89 VC_redist.x64.exe 86->89         started        process28 process29 91 VC_redist.x64.exe 89->91         started        file30 118 C:\Windows\Temp\...\wixstdba.dll, PE32 91->118 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dzhvyceqhew7xehkman5yzndeaxvcenomhb6fmgcy56fjvfkf3a._file
Verdict:
suspicious
Label(s):
gozi
Create hunting rule
Similar samples:
02201f5f3630302f9914837b5b618ca0870ec75b459544ac42cb88a706b217a1
Gozi
3fde627f59b1b425dbb14ddc26a088019524e089a19b0548f953ee63a573601b
Gozi
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
Gozi
529278edf5caa133d25e0a3ef7d138124529695f1d5a8a03aace868702ffcd64
Gozi
84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4
Gozi
a36a3366706789363864b5c0b03b0c49ce72fea8d1c3150285d16a604edbc866
Gozi
ab62ae9f4f7e797648fd4de6633357f704d4799f77844a0368a17ad21d2a2958
Gozi
aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2
Gozi
d8458568836e79d02861dc6d6f8059ab9de9a61155d93742130f93b7876f75ca
Gozi
f97868b93747008b2b67f509958fa5e7d3d380d384042ca655f9a6f77c610532
Gozi
+ 3'512 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/221121-x7st8ahb8s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176
MD5 hash:
de33661828b4e6913ea31238f3261c8f
SHA1 hash:
83dbf1b2cc980b6f6f1075501d620bca1c8a476f
Link:
https://www.unpac.me/results/5720a482-9a16-4461-a3d5-cd39c2b22591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe f8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336926/
  
URLhaus
https://urlhaus.abuse.ch/url/2429103/

Comments