General

  • Target

    40cf9a6c58b28b35ac94bd519b291bee247bbd91fff57fc9a2aa40913fadc776

  • Size

    311KB

  • Sample

    220326-c35yrscbfr

  • MD5

    c6b874efba7800ea74c1c13d0985c9d0

  • SHA1

    c43c0a58778647708fde852ec4d0ffb7fb3b3708

  • SHA256

    40cf9a6c58b28b35ac94bd519b291bee247bbd91fff57fc9a2aa40913fadc776

  • SHA512

    26a918a36b6e2c4a7c283cd642bddb1858659cdddd86d0809d6fbc8bb70bd6ec06308abda4b0bbbbd2871c85b612db7ccaf15d98d36308a379f116ed5d26c8cb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

C2

shop.microsoft.com

loadshemsplot.xyz

Attributes
  • build

    250162

  • dga_season

    10

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      40cf9a6c58b28b35ac94bd519b291bee247bbd91fff57fc9a2aa40913fadc776

    • Size

      311KB

    • MD5

      c6b874efba7800ea74c1c13d0985c9d0

    • SHA1

      c43c0a58778647708fde852ec4d0ffb7fb3b3708

    • SHA256

      40cf9a6c58b28b35ac94bd519b291bee247bbd91fff57fc9a2aa40913fadc776

    • SHA512

      26a918a36b6e2c4a7c283cd642bddb1858659cdddd86d0809d6fbc8bb70bd6ec06308abda4b0bbbbd2871c85b612db7ccaf15d98d36308a379f116ed5d26c8cb

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • Detected potential entity reuse from brand microsoft.

MITRE ATT&CK Enterprise v6

Tasks