General

  • Target

    9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc

  • Size

    293KB

  • Sample

    220204-xbggbaeaal

  • MD5

    24513d582f685ab9fb8183b9f34812ac

  • SHA1

    b29ee2eb5b6ef34bbd3de96edc57a30424478d3e

  • SHA256

    9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc

  • SHA512

    46cf04d30900842ba7d883f583be688586c04a46e161eeab1308570aa41bde09cde9eac7be7f19e147898c7639f8af11378d3463f7593a2f898232bf91872cc8

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214098

Extracted

Family

gozi_ifsb

Botnet

3504

C2

google.com

gmail.com

javisoacso.com

x64jeffery5359.com

d68davontezb.top

Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc

    • Size

      293KB

    • MD5

      24513d582f685ab9fb8183b9f34812ac

    • SHA1

      b29ee2eb5b6ef34bbd3de96edc57a30424478d3e

    • SHA256

      9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc

    • SHA512

      46cf04d30900842ba7d883f583be688586c04a46e161eeab1308570aa41bde09cde9eac7be7f19e147898c7639f8af11378d3463f7593a2f898232bf91872cc8

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • Sets service image path in registry

MITRE ATT&CK Enterprise v6

Tasks