gozi_ifsb | 41ff7a77daa0cdcb6e0d2c3c9c2e1e217ed5f291660837940f77965d59b06aa6 | Triage

Sharing

General

Target

41ff7a77daa0cdcb6e0d2c3c9c2e1e217ed5f291660837940f77965d59b06aa6
Size

223KB
Sample

220201-a5dwysehb6
MD5

9e46c465b536cde41ba37d91150f3932
SHA1

7c8c2e9150d63be0c7c2bbb07eb1cb3fb667d91e
SHA256

41ff7a77daa0cdcb6e0d2c3c9c2e1e217ed5f291660837940f77965d59b06aa6
SHA512

04f94a5103c543091b052aebd89e22cd0a46fe3ddcd1abe8748eb465eba08845eb10f069aeec3e748041f8f62add0cfccc66196840aaaf8429466447b60595dc

Score

10^/10

gozi_ifsb 2002 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2002

C2

download1.avira.com

jensjen.ws

karakstr.in

vutingerta.cc

lohnessin.to

mamfurtesa.pw

fullbasserts.co

likositenida.tk

rupies100.cn

kikoneen.io

lampenshutze.mn

trumphujtebevrot.bit

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  41ff7a77daa0cdcb6e0d2c3c9c2e1e217ed5f291660837940f77965d59b06aa6
- Size
  
  223KB
- MD5
  
  9e46c465b536cde41ba37d91150f3932
- SHA1
  
  7c8c2e9150d63be0c7c2bbb07eb1cb3fb667d91e
- SHA256
  
  41ff7a77daa0cdcb6e0d2c3c9c2e1e217ed5f291660837940f77965d59b06aa6
- SHA512
  
  04f94a5103c543091b052aebd89e22cd0a46fe3ddcd1abe8748eb465eba08845eb10f069aeec3e748041f8f62add0cfccc66196840aaaf8429466447b60595dc
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2