gozi_ifsb | b4966efca7172b4236468b47735f1de8a44b094eb9ac6101cb4ca84cf128400e | Triage

Sharing

General

Target

b4966efca7172b4236468b47735f1de8a44b094eb9ac6101cb4ca84cf128400e
Size

41KB
Sample

220201-leeakscbbq
MD5

1bbb719ff6dfa35fc4fc297ef873228b
SHA1

a5f856ae20dd7d84484b4b62c9e1898f833f0f28
SHA256

b4966efca7172b4236468b47735f1de8a44b094eb9ac6101cb4ca84cf128400e
SHA512

58a5ed179dc9cc2926a45fe093ea9c0af1ef3bb3778ebfb1506063fd0aec0df10099f3aa06c7abff0da49b91d3df94d7f0f81dc6ef01f4385c096e8cc72cfbc9

Score

10^/10

gozi_ifsb 8899 persistence suricata

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

grmalo.site

Attributes

base_path
/kraus/
build
260222
dga_season
10
exe_type
loader
extension
.jpe
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  b4966efca7172b4236468b47735f1de8a44b094eb9ac6101cb4ca84cf128400e
- Size
  
  41KB
- MD5
  
  1bbb719ff6dfa35fc4fc297ef873228b
- SHA1
  
  a5f856ae20dd7d84484b4b62c9e1898f833f0f28
- SHA256
  
  b4966efca7172b4236468b47735f1de8a44b094eb9ac6101cb4ca84cf128400e
- SHA512
  
  58a5ed179dc9cc2926a45fe093ea9c0af1ef3bb3778ebfb1506063fd0aec0df10099f3aa06c7abff0da49b91d3df94d7f0f81dc6ef01f4385c096e8cc72cfbc9
Score

10^/10

persistence suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

persistencesuricata