gozi_ifsb | 3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0

General

Target

b6886ffe6ca1c02c8dc599ed1bb7f0c4.exe
Size

2.3MB
Sample

220623-ef7vysbegr
MD5

b6886ffe6ca1c02c8dc599ed1bb7f0c4
SHA1

1b82158d56530c4a8ae83fee7ecdc1d91cbafb0c
SHA256

3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
SHA512

1b81d29cc15091196ab94afabaf1520807459141bd5edb5cf40fafa469e422dec0e77014cb1dd6cae7e077a2ea993f7b03b729846898f6729a2efe6d1a681974

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

Bartho

C2

45.67.35.151:20686

Attributes

auth_value
a33b211fae3d9b87a1d711957edd752e

Extracted

Family

gozi_ifsb

Botnet

20000

C2

apghn.msn.com

188.126.76.221

Attributes

base_path
/budweiser/
build
250235
exe_type
loader
extension
.bbu
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

apggn.msn.com

188.126.76.221

aphgn.msn.com

176.97.65.105

Attributes

base_path
/budweiser/
build
250235
exe_type
worker
extension
.bbu
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  b6886ffe6ca1c02c8dc599ed1bb7f0c4.exe
- Size
  
  2.3MB
- MD5
  
  b6886ffe6ca1c02c8dc599ed1bb7f0c4
- SHA1
  
  1b82158d56530c4a8ae83fee7ecdc1d91cbafb0c
- SHA256
  
  3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
- SHA512
  
  1b81d29cc15091196ab94afabaf1520807459141bd5edb5cf40fafa469e422dec0e77014cb1dd6cae7e077a2ea993f7b03b729846898f6729a2efe6d1a681974
Score

10^/10

redline bartho infostealer spyware suricata gozi_ifsb 20000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
  suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
  suricata
- suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
  suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2