General

  • Target

    2cba9e142f667e16afacf89db19f91f42d5594d18934f5d86bfaed9e64bc5cb9

  • Size

    3.7MB

  • Sample

    220614-1qzszsefbr

  • MD5

    b0fdccbc6f384b9e4155b6f4a0a25988

  • SHA1

    dba7dcfa2400c1256298c1abc12d79723aa96963

  • SHA256

    2cba9e142f667e16afacf89db19f91f42d5594d18934f5d86bfaed9e64bc5cb9

  • SHA512

    777f35afb7432b7c9ab1af6a8a88d06f7d08dd90d025987960e59d6c421f0991e7a55eddc2e9746ff708a72f9930f300ff99156485ebfe95d2fee314b9171e2d

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214098

Extracted

Family

gozi_ifsb

Botnet

3523

C2

fortinet.com

symantec.com

z39bldfq.com

r79xhiram81ue.com

mlqlqewh.com

Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      2cba9e142f667e16afacf89db19f91f42d5594d18934f5d86bfaed9e64bc5cb9

    • Size

      3.7MB

    • MD5

      b0fdccbc6f384b9e4155b6f4a0a25988

    • SHA1

      dba7dcfa2400c1256298c1abc12d79723aa96963

    • SHA256

      2cba9e142f667e16afacf89db19f91f42d5594d18934f5d86bfaed9e64bc5cb9

    • SHA512

      777f35afb7432b7c9ab1af6a8a88d06f7d08dd90d025987960e59d6c421f0991e7a55eddc2e9746ff708a72f9930f300ff99156485ebfe95d2fee314b9171e2d

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

MITRE ATT&CK Enterprise v6

Tasks