General

  • Target

    d41d05cc157f874f89c574c74c0e2c58

  • Size

    739KB

  • Sample

    220322-s48daacfck

  • MD5

    d41d05cc157f874f89c574c74c0e2c58

  • SHA1

    1e0df409d72db144f570b9d8410b544c8670e64d

  • SHA256

    0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2

  • SHA512

    fa36e9217d4af43d14870e0fdc380e3ce25674ca0ff55faba604e3b025be06e9c01fadb2807a6809962defc353ca21ea85218115e3624961d6989484115f20ba

Malware Config

Extracted

Family

gozi_ifsb

Botnet

777999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes
  • base_path

    /phpadmin/

  • build

    250225

  • exe_type

    loader

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

777999

C2

config.edge.skype.com

67.43.234.14

67.43.234.37

67.43.234.47

Attributes
  • base_path

    /images/

  • build

    250225

  • exe_type

    worker

  • extension

    .src

  • server_id

    50

rsa_pubkey.plain
aes.plain
rsa_pubkey.plain

Targets

    • Target

      d41d05cc157f874f89c574c74c0e2c58

    • Size

      739KB

    • MD5

      d41d05cc157f874f89c574c74c0e2c58

    • SHA1

      1e0df409d72db144f570b9d8410b544c8670e64d

    • SHA256

      0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2

    • SHA512

      fa36e9217d4af43d14870e0fdc380e3ce25674ca0ff55faba604e3b025be06e9c01fadb2807a6809962defc353ca21ea85218115e3624961d6989484115f20ba

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

    • suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

    • suricata: ET MALWARE Ursnif Variant CnC Beacon

      suricata: ET MALWARE Ursnif Variant CnC Beacon

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata: ET MALWARE Ursnif Variant CnC Data Exfil

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks