Overview

overview

10

Static

static

0db1f05c21...00.exe

windows7_x64

1

0db1f05c21...00.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0db1f05c21f621b8ff4ec4b958d62000.exe

  • Size

    647KB

  • Sample

    220623-ggv9naefc3

  • MD5

    0db1f05c21f621b8ff4ec4b958d62000

  • SHA1

    9e03ea20ab36ebd07e887d5d5a8467d266908b31

  • SHA256

    cfc28c18307134fd44181c705df55653e24114fe5c58788c18f50613ae08da01

  • SHA512

    dd7107d9f4e313f85083e7f9710e38022873c22642f8a1a04f35f08285852aef2b2c271168f8af0fd8c62c179e3af7ab7a3d1b51a3441bd072544a0ff3ef07ac

Score
10/10
gozi_ifsb20000bankersuricatatrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

C2

apghn.msn.com

188.126.76.221
Attributes
  • base_path

    /budweiser/

  • build

    250235

  • exe_type

    loader

  • extension

    .bbu

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

apggn.msn.com

188.126.76.221

aphgn.msn.com

176.97.65.105
Attributes
  • base_path

    /budweiser/

  • build

    250235

  • exe_type

    worker

  • extension

    .bbu

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      0db1f05c21f621b8ff4ec4b958d62000.exe

    • Size

      647KB

    • MD5

      0db1f05c21f621b8ff4ec4b958d62000

    • SHA1

      9e03ea20ab36ebd07e887d5d5a8467d266908b31

    • SHA256

      cfc28c18307134fd44181c705df55653e24114fe5c58788c18f50613ae08da01

    • SHA512

      dd7107d9f4e313f85083e7f9710e38022873c22642f8a1a04f35f08285852aef2b2c271168f8af0fd8c62c179e3af7ab7a3d1b51a3441bd072544a0ff3ef07ac

    Score
    10/10
    gozi_ifsb20000bankersuricatatrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

      suricata

    • suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

      suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

      suricata

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata

    • suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata: ET MALWARE Ursnif Variant CnC Data Exfil

      suricata

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks