gozi_ifsb | 23251d989078d7d69c6cfe6de3c9f2102d5810266fc483e11e0c71ab000000ec | Triage

Sharing

General

Target

23251d989078d7d69c6cfe6de3c9f2102d5810266fc483e11e0c71ab000000ec
Size

222KB
Sample

220201-a6rt7sehd8
MD5

4cc0ab0723d94bf572c33ac7af89edba
SHA1

657f84c00323f99128856df23ea593d13addfbd5
SHA256

23251d989078d7d69c6cfe6de3c9f2102d5810266fc483e11e0c71ab000000ec
SHA512

8fdb7055e2098fc7ae814921d7128c215bf803a0ec1beb51b4d8ce6982a14aacf405cd3d3ff206a9a9834686eea147ad5251f4adcee065cdb9b9808d76570be2

Score

10^/10

gozi_ifsb 8877 persistence

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

microsoft.com/blog

195.123.213.53

185.186.244.85

185.186.246.32

dsakdjehrjwekrew.website

dasdfrjnkrnfjkwerrwe.website

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  23251d989078d7d69c6cfe6de3c9f2102d5810266fc483e11e0c71ab000000ec
- Size
  
  222KB
- MD5
  
  4cc0ab0723d94bf572c33ac7af89edba
- SHA1
  
  657f84c00323f99128856df23ea593d13addfbd5
- SHA256
  
  23251d989078d7d69c6cfe6de3c9f2102d5810266fc483e11e0c71ab000000ec
- SHA512
  
  8fdb7055e2098fc7ae814921d7128c215bf803a0ec1beb51b4d8ce6982a14aacf405cd3d3ff206a9a9834686eea147ad5251f4adcee065cdb9b9808d76570be2
Score

10^/10

persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2