gozi_ifsb | 8ecbae4985b7df072bd6df4b60f194fdcabd92bb336e11f8ca40987a5a81b1e3

General

Target

8ecbae4985b7df072bd6df4b60f194fdcabd92bb336e11f8ca40987a5a81b1e3
Size

240KB
Sample

220201-a2jb9segg3
MD5

4167ba311c381dbda9f12c274b81e782
SHA1

7feb73ac6aeef592a01039131a13bfa73fbba412
SHA256

8ecbae4985b7df072bd6df4b60f194fdcabd92bb336e11f8ca40987a5a81b1e3
SHA512

bd7ce739ead9aeb4c0c24a84ee39fcaefdf7e5f69b98b781bf61d332dc7a3ac002426c9512ded770a71ccf7572dc5227e1a04a61139661bb4fe98caf03b8caad

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

todo.faroin.at

apr.intoolkom.at

app3.crasa.at

r23cirt55ysvtdvl.onion

kas.kargoapp.at

io.feen007.at

gtk.uploner.at

l46t3vgvmtx5wxe6.onion

api2.biborexa.com

free.monotreener.com

xhr.vionedino.com

cdn8.novand.at

tb.yapker.at

Attributes

exe_type
worker
server_id
580

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  8ecbae4985b7df072bd6df4b60f194fdcabd92bb336e11f8ca40987a5a81b1e3
- Size
  
  240KB
- MD5
  
  4167ba311c381dbda9f12c274b81e782
- SHA1
  
  7feb73ac6aeef592a01039131a13bfa73fbba412
- SHA256
  
  8ecbae4985b7df072bd6df4b60f194fdcabd92bb336e11f8ca40987a5a81b1e3
- SHA512
  
  bd7ce739ead9aeb4c0c24a84ee39fcaefdf7e5f69b98b781bf61d332dc7a3ac002426c9512ded770a71ccf7572dc5227e1a04a61139661bb4fe98caf03b8caad
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Sets service image path in registry

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2