MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e
SHA3-384 hash: bacb2bc4b2d0b5e8deabb9374716b4066325ea88288b61a3639d4b06b4a5226de2b76e66faae705243def7be0195ab0c
SHA1 hash: 8cbb18ebcd69be1a356bdd8516889c1d0b09ee7d
MD5 hash: dbade9bdcff53a58bb20881c07490662
humanhash: ink-equal-coffee-fifteen
File name:finanz.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:215'552 bytes
First seen:2023-01-05 09:23:43 UTC
Last seen:2023-01-05 10:33:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bca87c7309353055aed194207c93e99 (5 x RedLineStealer, 3 x Smoke Loader, 2 x DanaBot)
ssdeep 3072:GXsrymDLtwzfV5lA53PcPSkgGl8foBwZ3tWF7jmcnmcTdLXGpl:ugLt0V5l2PE3GZ9WFucj5
Threatray 1'412 similar samples on MalwareBazaar
TLSH T19024BF113585C472C1B719384838EAA46E3BBCB35974D4BB3B543B2FAF702D09A66787
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1024e398c4e72158 (25 x Smoke Loader, 24 x RedLineStealer, 5 x Tofsee)
Reporter JAMESWT_WT
Tags:31-41-44-153 31-41-44-154 62-173-138-164 agenziaentrate exe Gozi mise Ursnif

Intelligence

File Origin
# of uploads :
4
# of downloads :
229
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
ursnif
Create hunting rule
ID:
1
File name:
finanz.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 09:24:41 UTC
Tags:
trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/f055755f-3d4c-4d2d-8f52-f4ef1b10fcaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349601/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.52.21757.14853.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b69734fc9525ae8a44dc1d/reports/91782f8b-0aa8-489e-8f9a-b2afe9a728f6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25fb914c-fc84-4633-b82e-c037797f7be5
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145549
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 09:31:48 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gvbm447nk6rwmjwsdreyfnv3fmoltndl7mlzt5nhn6h5nply5ha._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0bb6252f63c48ac085396dcbbac497f62ef59215f587ea298bff5ab8b6a367c5
Gozi
0e1612ad2f5c6f675e1ad23e9321b88a45b719a34a00271121950c0465ffb525
Gozi
2ffce4a30025c7b0c408da211a4a5c00c395c4933b94ecfa818a8c1aea5ae4d2
Gozi
b59c9c2c9df5daeedfa78f14ea42b94d4fc2308db18bef199108723a7533f592
Gozi
c0bbb556f5f3c43c100a68d34ecd1a19f8b5afe3675836cf8cd5eb29afa7cc72
Gozi
e618373bcb637daae36db8511d2dfdb6a7e227b4e2192af4a6b36be0390616a0
Gozi
eb63815fe857388258f8fc6424fd41945f213b060fbb821329f03660bfd65d21
Gozi
ebfcf679363659ae76c7194c1866c37e2308d4ce27276f2ec7ff6aebb4f245f0
Gozi
f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
Gozi
fceb8d758785f33f7184166b83d4d5129ee8907b5525be11afe4e614b71c56de
Gozi
+ 1'402 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7702 banker isfb trojan
Link:
https://tria.ge/reports/230105-lc2cbsfa4t/
Behaviour
Gozi
Malware Config
C2 Extraction:
checklist.skype.com
62.173.138.160
31.41.44.122
193.0.178.141
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15c2bea4-2bd8-41bb-9eb5-a5c3fbb01f3f
Unpacked files
SH256 hash:
c84fa890c3e4e14c2bad02c07742df873f0512b875f0ac2862dcf1155bdc6236
MD5 hash:
a7394d6c7c62106bb5a74711d5d4be06
SHA1 hash:
da0fa31b78fd5bd4be52e2823bb104291ae7dd50
Link:
https://www.unpac.me/results/b2d3e9a7-974f-48a9-a55b-2ba3a2f5a03b/
SH256 hash:
584cbb9fc336e7c571bcb61c7f6e6eee7af60a56c81bf2d3f2b60338de0b7354
MD5 hash:
16354909ed898b5cfd7a93f3276738d2
SHA1 hash:
4bedd0621709dd570494a0fa47998142d8cc4697
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2d3e9a7-974f-48a9-a55b-2ba3a2f5a03b/
Parent samples :
f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e
bafa4a069b63558ae3c4446fafdae3795b1278d220df5e626c190bcfeafe8391
1d499ec71aea2f8df3af51d2b38a32bc576e86067312a09ca553b83e66b23eb5
f3b4b8019816730113bc980e8da9a5fe7a5c7ea9da14a2db1456414f6800cd86
SH256 hash:
f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e
MD5 hash:
dbade9bdcff53a58bb20881c07490662
SHA1 hash:
8cbb18ebcd69be1a356bdd8516889c1d0b09ee7d
Link:
https://www.unpac.me/results/b2d3e9a7-974f-48a9-a55b-2ba3a2f5a03b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349601/

Comments