Overview

overview

10

Static

static

0061ee159c...9a.exe

windows7_x64

10

0061ee159c...9a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0061ee159c0bf78d95e3d7f57c7ef59a.exe

  • Size

    208KB

  • Sample

    220303-kh6nkabgcl

  • MD5

    0061ee159c0bf78d95e3d7f57c7ef59a

  • SHA1

    42eabe50510470a42e5fa225bc2008fcfe41d1e0

  • SHA256

    0ecc98fef3cc72ccc01a959163a42f8976d8b5b13536588d8875722b62b22561

  • SHA512

    b5f09359a5b3ab5045cee66f1a3a72da918e0daf8edb86b1447201f6d6f7b86573293514baf0010b2d1e70ea908aace3f565c31e70d2fdd996d9240f77fa3d63

Score
10/10
gozi_ifsb20000bankersuricatatrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/signin

143.198.56.58
Attributes
  • base_path

    /peer/

  • build

    250225

  • exe_type

    loader

  • extension

    .prv

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/login

143.198.56.58
Attributes
  • base_path

    /images/

  • build

    250225

  • exe_type

    worker

  • extension

    .prv

  • server_id

    50

rsa_pubkey.plain
aes.plain
rsa_pubkey.plain

Targets

    • Target

      0061ee159c0bf78d95e3d7f57c7ef59a.exe

    • Size

      208KB

    • MD5

      0061ee159c0bf78d95e3d7f57c7ef59a

    • SHA1

      42eabe50510470a42e5fa225bc2008fcfe41d1e0

    • SHA256

      0ecc98fef3cc72ccc01a959163a42f8976d8b5b13536588d8875722b62b22561

    • SHA512

      b5f09359a5b3ab5045cee66f1a3a72da918e0daf8edb86b1447201f6d6f7b86573293514baf0010b2d1e70ea908aace3f565c31e70d2fdd996d9240f77fa3d63

    Score
    10/10
    gozi_ifsb20000bankertrojansuricata

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • suricata: ET MALWARE Ursnif Variant CnC Beacon

      suricata: ET MALWARE Ursnif Variant CnC Beacon

      suricata

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata

    • suricata: ET MALWARE Ursnif Variant CnC Beacon 3

      suricata: ET MALWARE Ursnif Variant CnC Beacon 3

      suricata

    • suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks