gozi_ifsb | 5dcb54ca7fb41c64c898b10db8a2752ea661d9334f5b41086767a928da73f5b5 | Triage

Sharing

General

Target

5dcb54ca7fb41c64c898b10db8a2752ea661d9334f5b41086767a928da73f5b5
Size

236KB
Sample

220201-a35lwsecel
MD5

abe0a4505d373e42bb373d64de450b53
SHA1

392d5333cbbe712d6fc634c3f88d780b83c639b5
SHA256

5dcb54ca7fb41c64c898b10db8a2752ea661d9334f5b41086767a928da73f5b5
SHA512

eb10a7f175d177366d02ded648e66f6e944a2836150a3847e8dc3d7df02b07d6c623dec0d8978a99bd226158e303821c02c5e41b228c153d84e6530d20ff683c

Score

10^/10

gozi_ifsb 8877 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

microsoft.com/blog

195.123.213.53

185.186.244.85

185.186.246.32

dsakdjehrjwekrew.website

dasdfrjnkrnfjkwerrwe.website

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  5dcb54ca7fb41c64c898b10db8a2752ea661d9334f5b41086767a928da73f5b5
- Size
  
  236KB
- MD5
  
  abe0a4505d373e42bb373d64de450b53
- SHA1
  
  392d5333cbbe712d6fc634c3f88d780b83c639b5
- SHA256
  
  5dcb54ca7fb41c64c898b10db8a2752ea661d9334f5b41086767a928da73f5b5
- SHA512
  
  eb10a7f175d177366d02ded648e66f6e944a2836150a3847e8dc3d7df02b07d6c623dec0d8978a99bd226158e303821c02c5e41b228c153d84e6530d20ff683c
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2