General

  • Target

    7d5f04aea5411b157bc3e7f36d6e19a9a5f4d8ca50fc1159bad0037337dece70

  • Size

    120KB

  • Sample

    220325-vgavlsfbgm

  • MD5

    555dfca943f26613846a13b40d9f6866

  • SHA1

    7957870c1cd14580c542a19ed61cc9626b40b0b4

  • SHA256

    9b2d71d688360545fe08715fdafa49900877724421d041e830262e351939eb89

  • SHA512

    734c7b102578175c0230fe6eed6f43a70969aa07099fbd0236aee0d74e3f015f8007c400948d73cdc1b8196e039be8de113e8e6c2b141e5993dd648415aae23b

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      7d5f04aea5411b157bc3e7f36d6e19a9a5f4d8ca50fc1159bad0037337dece70

    • Size

      120KB

    • MD5

      555dfca943f26613846a13b40d9f6866

    • SHA1

      7957870c1cd14580c542a19ed61cc9626b40b0b4

    • SHA256

      9b2d71d688360545fe08715fdafa49900877724421d041e830262e351939eb89

    • SHA512

      734c7b102578175c0230fe6eed6f43a70969aa07099fbd0236aee0d74e3f015f8007c400948d73cdc1b8196e039be8de113e8e6c2b141e5993dd648415aae23b

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks