Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    225KB

  • Sample

    220623-mtb97sfdf7

  • MD5

    4d0774579b6e4be41c687982347b5a41

  • SHA1

    4359e5993bbce3794d0fc1a51a147d2b6b67d7bb

  • SHA256

    7ae2c953f8142f668650d11f0bc7f042e249ee8456b2255f71a51a84ca94c756

  • SHA512

    ee4177f6624cb932f5e5c5cad0c27eabdb9ed7250e8133d177561c79c82bcba43d3d781db2af85d06fb7899f23158e94abb3b143f62ac971234ef617cd784a28

Score
10/10
gozi_ifsb1500bankersuricatatrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

apghn.msn.com

188.126.76.221
Attributes
  • base_path

    /budweiser/

  • build

    250235

  • exe_type

    loader

  • extension

    .bbu

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      tmp

    • Size

      225KB

    • MD5

      4d0774579b6e4be41c687982347b5a41

    • SHA1

      4359e5993bbce3794d0fc1a51a147d2b6b67d7bb

    • SHA256

      7ae2c953f8142f668650d11f0bc7f042e249ee8456b2255f71a51a84ca94c756

    • SHA512

      ee4177f6624cb932f5e5c5cad0c27eabdb9ed7250e8133d177561c79c82bcba43d3d781db2af85d06fb7899f23158e94abb3b143f62ac971234ef617cd784a28

    Score
    10/10
    gozi_ifsb1500bankertrojansuricata

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

      suricata

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks