General
-
Target
6.png
-
Size
1.7MB
-
Sample
211214-lhmq5agefp
-
MD5
ac57d694b86d8532b38d3d62f6de3afc
-
SHA1
c858ec742ba91bf8c139b7bb654ca2d67747c5ef
-
SHA256
fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
-
SHA512
cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b
Static task
static1
Behavioral task
behavioral1
Sample
6.png.dll
Resource
win7-en-20211208
Malware Config
Extracted
gozi_ifsb
8899
microsoft.com/windowsdisabler
windows.update3.com
berukoneru.website
gerukoneru.website
fortunarah.com
assets.msn.com
http://microsoft.com
79.110.52.217
79.110.52.215
45.9.20.190
45.9.20.128
aerukoneru.site
serukoneru.site
yerukoneru.site
karfaganda.com
-
base_path
/tire/
-
build
260222
-
dga_season
10
-
exe_type
loader
-
extension
.eta
-
server_id
12
Targets
-
-
Target
6.png
-
Size
1.7MB
-
MD5
ac57d694b86d8532b38d3d62f6de3afc
-
SHA1
c858ec742ba91bf8c139b7bb654ca2d67747c5ef
-
SHA256
fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
-
SHA512
cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
-
Deletes itself
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-