General

  • Target

    proxychain.bin.zip

  • Size

    145KB

  • Sample

    220328-rfva3sehdl

  • MD5

    6be70b0961c690ad25a52122f7f51b88

  • SHA1

    970dd9624c4e60226adc46e5f90cb986645e5869

  • SHA256

    80ae0bbcd756599996cfabd5f7beb404be8842fdbbbd03a9682966077f5c48b9

  • SHA512

    2eeecd452461b6a682a9aae99c21625fc1fbabffece41ae14c664508987fc771b8a48a07eb024e3143e2c63879adb30efaeb55624fdc13138a44bfe41b741567

Malware Config

Extracted

Family

gozi_ifsb

Botnet

202201

C2

telemetry.skype.com

gldobermanioliusdd.ru

semenshovdobermanoba4.ru

gdobermanciluiprada8.ru

mesantospilioosd.ru

klavsantosnka93hhu8.ru

checkgosantoswahnedr.ru

stypesantosgirlsld99.ru

dasantoseikosano000.ru

rkrygliyakinaribalke.ru

klkrygliyaysiroppe0.ru

musskrygliyakatt67838.ru

Attributes
  • base_path

    /drew/

  • build

    250224

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

202201

C2

telemetry.skype.com

tanto-zero.ru

rancho0bala99.ru

kleinesokos2.ru

monk0vdiaa888.ru

monk0pokerkim555.ru

monk0nelaveredii.ru

tmonk0echetypo.ru

lamonk0ntiymaximus.ru

bumonk0galo.ru

kolemonk0iumtracker.ru

dmonk0hevkinoo0.ru

Attributes
  • base_path

    /images/

  • exe_type

    worker

  • extension

    .avi

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      proxychain.bin

    • Size

      255KB

    • MD5

      fe45c50d912ba5114f7cec59f5ce3a1d

    • SHA1

      40706642be37ee48ce49faa4592a6e977aa5c3ca

    • SHA256

      104e6094ef239aae7e4317433e868b67108b8157627dc222f996cb087795334f

    • SHA512

      7803bc3ae1a8deb1c04e27d7a7d5c623c6b667a71ec5e9564aefa2d5d8cdc40c2a5129844b5fc5ca20a8074719601b2ebf6cc0b66c460c4570a42314f4110409

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks