Resubmissions

16/03/2022, 17:20

220316-vwnd9adfel 10

14/03/2022, 17:04

220314-vlrc6acbak 10

General

  • Target

    ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5.zip

  • Size

    520KB

  • Sample

    220316-vwnd9adfel

  • MD5

    eead21817867c86bcf5e50078f88e527

  • SHA1

    45d4c6aa8a4b907e51840ff8db083b7346b35fd9

  • SHA256

    0df0bc39de716c9d3257c495c05bf253aeb6937236625c90221bb3e6ec91f7b5

  • SHA512

    6a1b46c0654501827bbc55ebeea2b62c1fd601d7cb678fc13521d48de7b1c229353ec83dc94798b54b9591944ff1bd2be1de6aa89aaf65bf18f479e6e5b9e2eb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4460

C2

1.microsoft.com

horulenuke.us

vorulenuke.us

Attributes
  • base_path

    /freeman/

  • build

    250190

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • extension

    .fre

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5

    • Size

      877KB

    • MD5

      34511b8307a59ff1f9bf53a01a124f28

    • SHA1

      aca50b83c9823f78c8088847735c4462606f1940

    • SHA256

      ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5

    • SHA512

      c12aa3bae726b42b413f309f05d722983303f49cea8ed60fc893ccbc4e3b99d487b5327a38dae4f77403c0b2f9f175bff205cdc41b5db04346c2e39e924b8acc

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)

      suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)

    • suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)

      suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • Blocklisted process makes network request

MITRE ATT&CK Enterprise v6

Tasks