Overview

overview

10

Static

static

10

48a23aa321...ac.exe

windows7-x64

10

48a23aa321...ac.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48a23aa3218539f006433cace2d210ac.exe

  • Size

    137KB

  • Sample

    220925-q34ycsehf6

  • MD5

    48a23aa3218539f006433cace2d210ac

  • SHA1

    ff971a5e22ded44ece04f5d55f4da7f506f932dc

  • SHA256

    61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be

  • SHA512

    829f5a76a895d4994b7db011f2a5d305bc9d5028ee7278491f120045529e6b980d8a683520a1aaf3c6d2162b983aed3db240094eeafb1bb30cfd499ca05fc028

  • SSDEEP

    3072:nYO/ZMTFVhLzZLuU3spuXBpV/8DFvyhPLhESS0v:nYMZMBVhLzcksEXWcZLh

Score
10/10
gozi_ifsbredline7777acula не трогатьbankerdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ACULA НЕ ТРОГАТЬ

C2

80.66.87.21:2500

Attributes
  • auth_value

    49abd863c99911e0040c5266436f34cf

Extracted

Family

gozi_ifsb

Botnet

7777

C2

trackingg-protectioon.cdn4.mozilla.net

194.76.225.37

trackingg-protectioon.cdn5.mozilla.net

185.212.44.249

109.230.199.185
Attributes
  • base_path

    /fonts/

  • build

    250246

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      48a23aa3218539f006433cace2d210ac.exe

    • Size

      137KB

    • MD5

      48a23aa3218539f006433cace2d210ac

    • SHA1

      ff971a5e22ded44ece04f5d55f4da7f506f932dc

    • SHA256

      61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be

    • SHA512

      829f5a76a895d4994b7db011f2a5d305bc9d5028ee7278491f120045529e6b980d8a683520a1aaf3c6d2162b983aed3db240094eeafb1bb30cfd499ca05fc028

    • SSDEEP

      3072:nYO/ZMTFVhLzZLuU3spuXBpV/8DFvyhPLhESS0v:nYMZMBVhLzcksEXWcZLh

    Score
    10/10
    gozi_ifsbredline7777acula не трогатьbankerdiscoveryinfostealerspywarestealertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks