General
-
Target
a88085e0251fd795e39ba02de1ebaf7c
-
Size
432KB
-
Sample
220707-vzt17sefb8
-
MD5
a88085e0251fd795e39ba02de1ebaf7c
-
SHA1
d25052c9a633f8a118c9e89a923bbb1df2d2c5f5
-
SHA256
96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
-
SHA512
a2d63443e117e0fa73d118689fe6b8aa1728e80c89f41c6b5524c6d17fd79dbbe9c49f8f47ddf461aec486239b7918a1a7982caab2f15f5c40a00322f7e263da
Static task
static1
Behavioral task
behavioral1
Sample
a88085e0251fd795e39ba02de1ebaf7c.dll
Resource
win7-20220414-en
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
79.110.52.164
79.110.52.97
-
base_path
/drew/
-
build
250239
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
deohomexm.at
79.110.52.244
23.227.202.64
-
base_path
/images/
-
build
250239
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Targets
-
-
Target
a88085e0251fd795e39ba02de1ebaf7c
-
Size
432KB
-
MD5
a88085e0251fd795e39ba02de1ebaf7c
-
SHA1
d25052c9a633f8a118c9e89a923bbb1df2d2c5f5
-
SHA256
96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
-
SHA512
a2d63443e117e0fa73d118689fe6b8aa1728e80c89f41c6b5524c6d17fd79dbbe9c49f8f47ddf461aec486239b7918a1a7982caab2f15f5c40a00322f7e263da
-
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
-
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-