gozi_ifsb | 2d73219fe2a30d385d1c42e695d26d513f7ea708d833cc4f045ec204796b5f8a | Triage

Sharing

General

Target

2d73219fe2a30d385d1c42e695d26d513f7ea708d833cc4f045ec204796b5f8a
Size

222KB
Sample

220201-a6gn8sehd6
MD5

02122010b050f9047e1a3220c4627d7e
SHA1

f591f87c56fcc34798ab637064bd25121099673a
SHA256

2d73219fe2a30d385d1c42e695d26d513f7ea708d833cc4f045ec204796b5f8a
SHA512

9c8b855e721da9059b9d0b5c1a75fbdb985cdcc716d49d281ef4e5e480c2a8359575c069fe913487f41ad1f82fb09819072b6768e10e708088c0fd4585e32feb

Score

10^/10

gozi_ifsb 8877 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

microsoft.com/blog

195.123.213.53

185.186.244.85

185.186.246.32

dsakdjehrjwekrew.website

dasdfrjnkrnfjkwerrwe.website

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2d73219fe2a30d385d1c42e695d26d513f7ea708d833cc4f045ec204796b5f8a
- Size
  
  222KB
- MD5
  
  02122010b050f9047e1a3220c4627d7e
- SHA1
  
  f591f87c56fcc34798ab637064bd25121099673a
- SHA256
  
  2d73219fe2a30d385d1c42e695d26d513f7ea708d833cc4f045ec204796b5f8a
- SHA512
  
  9c8b855e721da9059b9d0b5c1a75fbdb985cdcc716d49d281ef4e5e480c2a8359575c069fe913487f41ad1f82fb09819072b6768e10e708088c0fd4585e32feb
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2