Description
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
General
Target
Size
Sample
e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
185KB
220504-pqmmwadga8
Score
10 /10
MD5
SHA1
SHA256
SHA512
c795181ec19574853c944ce0858bdbaa
9644d104cb05a61904c28238c6bdbee56b5acb56
e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
84f1b604374e7391d29c1df67097f5f14724e9c6b10dca95a65397f51feaa20f0b3420ea6a47c85d85df6a12a048aab0b195899aed2cd73bc1f854c3688f3275
Malware Config
Targets
Target
MD5
Filesize
e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
c795181ec19574853c944ce0858bdbaa
185KB
Score
10/10
SHA1
SHA256
SHA512
9644d104cb05a61904c28238c6bdbee56b5acb56
e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
84f1b604374e7391d29c1df67097f5f14724e9c6b10dca95a65397f51feaa20f0b3420ea6a47c85d85df6a12a048aab0b195899aed2cd73bc1f854c3688f3275
Tags
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Possible privilege escalation attempt
Tags
-
Stops running service(s)
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Modifies file permissions
Tags
TTPs
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks