General
-
Target
http://ntv-play.com/video/04169823/tls/console-play.exe
-
Sample
210816-ehaj4hbq12
Malware Config
Extracted
gozi_ifsb
1001
updates.esset.com
jensjen.in
strongbilt.cc
drauduburr.ws
besstrown.cn
druckenshtalen.mn
grantedii.co
loudam62.tk
libricee.in
burbasoftw.pw
waiseen.io
trumphujtebevrot.bit
ymxslfmppjcvwkrjtfnr.co
ohnjjxasfxgxiakhtohn.in
hnhccsotdqftyicvossk.at
xcgrdxcmfirfvignnfea.ws
umvwdtbenbinronbohcc.pw
-
dga_season
10
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
http://ntv-play.com/video/04169823/tls/console-play.exe
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-