gozi_ifsb | 45d21facb7fc4c29e8c8c85019103b288dd033a6ed643a24560ae9dbd9077af5 | Triage

Sharing

General

Target

45d21facb7fc4c29e8c8c85019103b288dd033a6ed643a24560ae9dbd9077af5
Size

260KB
Sample

220201-a5brlaechl
MD5

5fb5a9b0660aabcbd3519703f056a2d7
SHA1

d86b1a24ef7e83cf36329157c23be14f512f6605
SHA256

45d21facb7fc4c29e8c8c85019103b288dd033a6ed643a24560ae9dbd9077af5
SHA512

4347e7a034f6f48eed69df955f4e93506955c78950af40bad69a34de47f816ac4f1963f47864c4f4298d0587c9166b711b2d4c03ac3fe25b997023ba69955e9b

Score

10^/10

gozi_ifsb 2200 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2200

C2

api3.lepini.at/api1

app.crasa.at/api1

g4xp7aanksu6qgci.onion/api1

g8.farihon.at/api1

hop.feen007.at/api1

l35sr5h5jl7xrh2q.onion/api1

ram.unici.at/api1

kol.frencko.at/api1

chat.pinole.at/api1

6buzj3jmnvrak4lh.onion/api1

c56.lepini.at/api1

cd1.novand.at/api1

wert.paratim.at/api1

Attributes

build
250180
exe_type
worker
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  45d21facb7fc4c29e8c8c85019103b288dd033a6ed643a24560ae9dbd9077af5
- Size
  
  260KB
- MD5
  
  5fb5a9b0660aabcbd3519703f056a2d7
- SHA1
  
  d86b1a24ef7e83cf36329157c23be14f512f6605
- SHA256
  
  45d21facb7fc4c29e8c8c85019103b288dd033a6ed643a24560ae9dbd9077af5
- SHA512
  
  4347e7a034f6f48eed69df955f4e93506955c78950af40bad69a34de47f816ac4f1963f47864c4f4298d0587c9166b711b2d4c03ac3fe25b997023ba69955e9b
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2