General
-
Target
ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5.zip
-
Size
520KB
-
Sample
220316-vwnd9adfel
-
MD5
eead21817867c86bcf5e50078f88e527
-
SHA1
45d4c6aa8a4b907e51840ff8db083b7346b35fd9
-
SHA256
0df0bc39de716c9d3257c495c05bf253aeb6937236625c90221bb3e6ec91f7b5
-
SHA512
6a1b46c0654501827bbc55ebeea2b62c1fd601d7cb678fc13521d48de7b1c229353ec83dc94798b54b9591944ff1bd2be1de6aa89aaf65bf18f479e6e5b9e2eb
Static task
static1
Behavioral task
behavioral1
Sample
ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5.dll
Resource
win7-20220311-en
Malware Config
Extracted
gozi_ifsb
4460
1.microsoft.com
horulenuke.us
vorulenuke.us
-
base_path
/freeman/
-
build
250190
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
extension
.fre
-
server_id
12
Targets
-
-
Target
ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5
-
Size
877KB
-
MD5
34511b8307a59ff1f9bf53a01a124f28
-
SHA1
aca50b83c9823f78c8088847735c4462606f1940
-
SHA256
ba5ba4bb7c78c4693a01e0370fe3e961081f29c40a8be0773cd7db7c4bdba7e5
-
SHA512
c12aa3bae726b42b413f309f05d722983303f49cea8ed60fc893ccbc4e3b99d487b5327a38dae4f77403c0b2f9f175bff205cdc41b5db04346c2e39e924b8acc
-
suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)
suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)
-
suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)
suricata: ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request
-