General

  • Target

    7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239

  • Size

    148KB

  • Sample

    220319-1vdrbaadhm

  • MD5

    c29a1f7211c26f5d426f659f6a89aadd

  • SHA1

    dbd953210cdf7fdfb6fab6012a842aeb40f622a5

  • SHA256

    7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239

  • SHA512

    6c3a6180ca9c165c41b7ad76be99cfc05bceda4f49f467c15d8194a37dcb2871394fd2cb108356e23057263557b33a8d45eec1b55fce7c145db664660a9d6e0b

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7244

C2

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

gstatici.com

Attributes
  • build

    250167

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239

    • Size

      148KB

    • MD5

      c29a1f7211c26f5d426f659f6a89aadd

    • SHA1

      dbd953210cdf7fdfb6fab6012a842aeb40f622a5

    • SHA256

      7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239

    • SHA512

      6c3a6180ca9c165c41b7ad76be99cfc05bceda4f49f467c15d8194a37dcb2871394fd2cb108356e23057263557b33a8d45eec1b55fce7c145db664660a9d6e0b

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

MITRE ATT&CK Enterprise v6

Tasks