General
-
Target
3cd57e714aa0b542686ac077089b6b2d82235f5974ffd6632923e9a2c9ae271b
-
Size
252KB
-
Sample
220703-ftpf7sgcdj
-
MD5
652a4de0918a9de8a3fc0bc472f7a86d
-
SHA1
a979fe13938cf0c7b29f97def7b4e4b0aa0e8547
-
SHA256
3cd57e714aa0b542686ac077089b6b2d82235f5974ffd6632923e9a2c9ae271b
-
SHA512
af0a9e44576586372e1bd0e78a0d0de98a4c53ade727056589ed662b8d108633da6a195186296abec2ff8d11b9f50e742af1298817e0e2f365a68835ab3809f1
Static task
static1
Behavioral task
behavioral1
Sample
3cd57e714aa0b542686ac077089b6b2d82235f5974ffd6632923e9a2c9ae271b.exe
Resource
win7-20220414-en
Malware Config
Extracted
gozi_ifsb
-
build
214745
Extracted
gozi_ifsb
1020
base.oldirtybastardlegacyfundraiser.us/htue503dt
base.happytroutproductions.com/htue503dt
base.makealivingteachingonline.com/htue503dt
base.convertspendingtocash.com/htue503dt
executenet.pw/htue503dt
-
build
214745
-
exe_type
worker
-
server_id
60
Targets
-
-
Target
3cd57e714aa0b542686ac077089b6b2d82235f5974ffd6632923e9a2c9ae271b
-
Size
252KB
-
MD5
652a4de0918a9de8a3fc0bc472f7a86d
-
SHA1
a979fe13938cf0c7b29f97def7b4e4b0aa0e8547
-
SHA256
3cd57e714aa0b542686ac077089b6b2d82235f5974ffd6632923e9a2c9ae271b
-
SHA512
af0a9e44576586372e1bd0e78a0d0de98a4c53ade727056589ed662b8d108633da6a195186296abec2ff8d11b9f50e742af1298817e0e2f365a68835ab3809f1
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-