General

  • Target

    5ae7937d8333afb2bb950c8f1089e2066954a3127945f52af2e2da58b7273a45

  • Size

    1.1MB

  • Sample

    220802-b7d56sfdal

  • MD5

    5743a543faa8ce02ee4def907c831ddb

  • SHA1

    dc385fcecfa2db881008b4a644ca3ef381d4132d

  • SHA256

    5ae7937d8333afb2bb950c8f1089e2066954a3127945f52af2e2da58b7273a45

  • SHA512

    22173e62fba73fa503127e43e29aea5922e64f19a76533265690dd57b3f036d168ffbeeb18be0067a1ddf33fd205ea528e9704e0f1b6356c8f50a75ddb448b5a

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://buismashallah.at

Attributes
  • build

    217027

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      5ae7937d8333afb2bb950c8f1089e2066954a3127945f52af2e2da58b7273a45

    • Size

      1.1MB

    • MD5

      5743a543faa8ce02ee4def907c831ddb

    • SHA1

      dc385fcecfa2db881008b4a644ca3ef381d4132d

    • SHA256

      5ae7937d8333afb2bb950c8f1089e2066954a3127945f52af2e2da58b7273a45

    • SHA512

      22173e62fba73fa503127e43e29aea5922e64f19a76533265690dd57b3f036d168ffbeeb18be0067a1ddf33fd205ea528e9704e0f1b6356c8f50a75ddb448b5a

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks