General
-
Target
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
-
Size
396KB
-
Sample
220504-pqmmwagdep
-
MD5
cdf4d67f3c2a779b0e36b0e566d96d5b
-
SHA1
a9b6050f5f4d5724de611cd5be4064e23751003a
-
SHA256
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
-
SHA512
774431280b04341b74229afb168653fa922c2240ca79e1830d007de729451d8a2c17695afbd8181a44d2b677edb9fdf9ea543d721506a596817331bce9ca4c0a
Malware Config
Targets
-
-
Target
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
-
Size
396KB
-
MD5
cdf4d67f3c2a779b0e36b0e566d96d5b
-
SHA1
a9b6050f5f4d5724de611cd5be4064e23751003a
-
SHA256
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
-
SHA512
774431280b04341b74229afb168653fa922c2240ca79e1830d007de729451d8a2c17695afbd8181a44d2b677edb9fdf9ea543d721506a596817331bce9ca4c0a
Score10/10-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-