gozi_ifsb | 8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32 | Triage

Sharing

General

Target

8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
Size

43KB
Sample

220201-lwzmvaceam
MD5

f52995516bb061fa7bc7f788b131cb68
SHA1

b8a808b508e57794aae41dc3e6d9ae64be0c0cce
SHA256

8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
SHA512

2fbaf82bdc00a3ddd8e1429867c7f980d00e41fc022b067dc5efabe7fdc35b892dcbec8203da67d86fc7756cde0bcba85bc9bf43377fbc52fe8c047c98a5287b

Score

10^/10

gozi_ifsb 2200 persistence suricata

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2200

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250180
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
- Size
  
  43KB
- MD5
  
  f52995516bb061fa7bc7f788b131cb68
- SHA1
  
  b8a808b508e57794aae41dc3e6d9ae64be0c0cce
- SHA256
  
  8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
- SHA512
  
  2fbaf82bdc00a3ddd8e1429867c7f980d00e41fc022b067dc5efabe7fdc35b892dcbec8203da67d86fc7756cde0bcba85bc9bf43377fbc52fe8c047c98a5287b
Score

10^/10

persistence suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

persistencesuricata