General
-
Target
7382622743229626.xll
-
Size
667KB
-
Sample
220303-x3a4lsdhfl
-
MD5
41a2f1ec8b11f55f61e09fb48decb301
-
SHA1
06ca167ffe9c806032f27d7b621c9380eb7136ed
-
SHA256
b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
-
SHA512
4b72b655ec855b5c08f714fc5ca6d4d256df1a95c377cab0350f88e377c6fe626c0e1aaa9f5a3a9fb9789afc4df715552a00ad2dac1ce93c8c9af9463f7cbb67
Static task
static1
Behavioral task
behavioral1
Sample
7382622743229626.xll
Resource
win7-en-20211208
Malware Config
Extracted
Extracted
gozi_ifsb
20000
skype.com/signin
143.198.56.58
-
base_path
/peer/
-
build
250225
-
exe_type
loader
-
extension
.prv
-
server_id
50
Extracted
gozi_ifsb
20000
skype.com/login
143.198.56.58
-
base_path
/images/
-
build
250225
-
exe_type
worker
-
extension
.prv
-
server_id
50
Targets
-
-
Target
7382622743229626.xll
-
Size
667KB
-
MD5
41a2f1ec8b11f55f61e09fb48decb301
-
SHA1
06ca167ffe9c806032f27d7b621c9380eb7136ed
-
SHA256
b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
-
SHA512
4b72b655ec855b5c08f714fc5ca6d4d256df1a95c377cab0350f88e377c6fe626c0e1aaa9f5a3a9fb9789afc4df715552a00ad2dac1ce93c8c9af9463f7cbb67
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-