General

  • Target

    04fc65e8b542dff64a64e42049d1cf568b967d72bfbcb3d3c3e3b89ec809ee2f

  • Size

    280KB

  • Sample

    220802-lhrebaeehl

  • MD5

    cc1a2af4edb9052043c71f196b3bc35c

  • SHA1

    c8d8e0a260cce70dad76698ddcbd2cefffc0e0a8

  • SHA256

    04fc65e8b542dff64a64e42049d1cf568b967d72bfbcb3d3c3e3b89ec809ee2f

  • SHA512

    8d16eb3d3d7b3d9b2d09a595ebd5d421b6eb9bd3e7b0a45b70b43e8a920883d48c5aa46d5d89de7efab5e0760d32930ace08077290048506dde281a1b8e39465

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8999

C2

ntrp.msn.com

185.189.151.35

nterp.msn.com

194.76.225.96

Attributes
  • base_path

    /chupa/

  • build

    250239

  • exe_type

    loader

  • extension

    .upa

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      04fc65e8b542dff64a64e42049d1cf568b967d72bfbcb3d3c3e3b89ec809ee2f

    • Size

      280KB

    • MD5

      cc1a2af4edb9052043c71f196b3bc35c

    • SHA1

      c8d8e0a260cce70dad76698ddcbd2cefffc0e0a8

    • SHA256

      04fc65e8b542dff64a64e42049d1cf568b967d72bfbcb3d3c3e3b89ec809ee2f

    • SHA512

      8d16eb3d3d7b3d9b2d09a595ebd5d421b6eb9bd3e7b0a45b70b43e8a920883d48c5aa46d5d89de7efab5e0760d32930ace08077290048506dde281a1b8e39465

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

MITRE ATT&CK Matrix

Tasks