General

  • Target

    f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

  • Size

    274KB

  • Sample

    220321-j5mcrsafck

  • MD5

    4fe6296c8b2154cf5f562aabafd9c5fb

  • SHA1

    297b3aac174cf4a4730725e817171ab329265c29

  • SHA256

    f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

  • SHA512

    7db839a57e78c59324dfa38f31e10e17704cdd47d9dc228d52150153fe875e8ec2ac745bcc8ea62c080e3e94007fe025212c1325aaabb41f7200eda724c0dc50

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7622

C2

botanlink.top

linkspremium.ru

premiumlists.ru

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

    • Size

      274KB

    • MD5

      4fe6296c8b2154cf5f562aabafd9c5fb

    • SHA1

      297b3aac174cf4a4730725e817171ab329265c29

    • SHA256

      f1d890163f681d1c94337e6459b9c233180ebe755e94095315f7acf0171e1eea

    • SHA512

      7db839a57e78c59324dfa38f31e10e17704cdd47d9dc228d52150153fe875e8ec2ac745bcc8ea62c080e3e94007fe025212c1325aaabb41f7200eda724c0dc50

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

MITRE ATT&CK Enterprise v6

Tasks