9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b | Triage

Submit
Reports

Overview

overview

Static

static

Ginzo.exe

windows7_x64

Ginzo.exe

windows10-2004_x64

Sharing

General

Target

Ginzo.exe
Size

184KB
Sample

220520-22rr7abdak
MD5

9d754925aa0e92fcc36d052bafa0cc1d
SHA1

5f2afa65a5a43cf21b5b6fa2933ca909989679ad
SHA256

9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b
SHA512

8775eda9a19379b6875b8eef50c7da17abda07ee1caa7fe45e83ed23a5c2b7f749e04f514b298a85e2ff73df3c4ca35263b69756f14790e65d72cf34e3067582

Score

10^/10

discovery evasion exploit spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Ginzo.exe

Resource

win7-20220414-en

discovery evasion exploit spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Ginzo.exe

Resource

win10v2004-20220414-en

discovery evasion exploit spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Ginzo.exe
- Size
  
  184KB
- MD5
  
  9d754925aa0e92fcc36d052bafa0cc1d
- SHA1
  
  5f2afa65a5a43cf21b5b6fa2933ca909989679ad
- SHA256
  
  9d5c5ef922aa7343c1ec29d5a6eb1b006f4b3aee817211ea958b6810df28510b
- SHA512
  
  8775eda9a19379b6875b8eef50c7da17abda07ee1caa7fe45e83ed23a5c2b7f749e04f514b298a85e2ff73df3c4ca35263b69756f14790e65d72cf34e3067582
Score

10^/10

discovery evasion exploit spyware stealer suricata
- Modifies security service
  evasion
- suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

File Permissions Modification

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

discoveryevasionexploitspywarestealersuricata

behavioral2

discoveryevasionexploitspywarestealersuricata

© 2018-2024

Terms | Privacy