General

  • Target

    6239dfea99c25.exe

  • Size

    154KB

  • Sample

    220322-r8mfyaceen

  • MD5

    b5946ff13e7698c7e2f26491885ddaab

  • SHA1

    5a30f2c32c05cdf7ea86a916bb7b529c647e56b4

  • SHA256

    b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb

  • SHA512

    4b296cc73916bf75bc1ab0feadf076b1794a88ba83663c1803e3342b14ff223b85f4d27b86c244088aa8f3eef309b1948f0db9ff71775f7d6e7759ca76b6dca7

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

Attributes
  • base_path

    /images/

  • build

    250225

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain
rsa_pubkey.plain

Targets

    • Target

      6239dfea99c25.exe

    • Size

      154KB

    • MD5

      b5946ff13e7698c7e2f26491885ddaab

    • SHA1

      5a30f2c32c05cdf7ea86a916bb7b529c647e56b4

    • SHA256

      b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb

    • SHA512

      4b296cc73916bf75bc1ab0feadf076b1794a88ba83663c1803e3342b14ff223b85f4d27b86c244088aa8f3eef309b1948f0db9ff71775f7d6e7759ca76b6dca7

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

    • suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

    • suricata: ET MALWARE Ursnif Variant CnC Beacon

      suricata: ET MALWARE Ursnif Variant CnC Beacon

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata: ET MALWARE Ursnif Variant CnC Data Exfil

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks