gozi_ifsb | 706fe556dda1a54720c9229c9da70c676b877f2e891c5baa9575bb49286f01af | Triage

Sharing

General

Target

706fe556dda1a54720c9229c9da70c676b877f2e891c5baa9575bb49286f01af
Size

260KB
Sample

220201-a3a3aaecdm
MD5

180399358e2f9e3d55e85781888507a8
SHA1

3a9b010dea92c6e86a0932587786f2e5feb40f9d
SHA256

706fe556dda1a54720c9229c9da70c676b877f2e891c5baa9575bb49286f01af
SHA512

076b0343200f8fc5e6b100a717a910f992c62b144e9d505dc58252c96296b803dfe64844f942c60f05ae37ce2ccc2214013aac2218b0658e755a18a383da9aca

Score

10^/10

gozi_ifsb 2200 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2200

C2

api3.lepini.at/api1

app.crasa.at/api1

g4xp7aanksu6qgci.onion/api1

g8.farihon.at/api1

hop.feen007.at/api1

l35sr5h5jl7xrh2q.onion/api1

ram.unici.at/api1

kol.frencko.at/api1

chat.pinole.at/api1

6buzj3jmnvrak4lh.onion/api1

c56.lepini.at/api1

cd1.novand.at/api1

wert.paratim.at/api1

Attributes

build
250180
exe_type
worker
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  706fe556dda1a54720c9229c9da70c676b877f2e891c5baa9575bb49286f01af
- Size
  
  260KB
- MD5
  
  180399358e2f9e3d55e85781888507a8
- SHA1
  
  3a9b010dea92c6e86a0932587786f2e5feb40f9d
- SHA256
  
  706fe556dda1a54720c9229c9da70c676b877f2e891c5baa9575bb49286f01af
- SHA512
  
  076b0343200f8fc5e6b100a717a910f992c62b144e9d505dc58252c96296b803dfe64844f942c60f05ae37ce2ccc2214013aac2218b0658e755a18a383da9aca
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2