gozi_ifsb | 61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be

General

Target

48a23aa3218539f006433cace2d210ac.exe
Size

137KB
Sample

220925-q34ycsehf6
MD5

48a23aa3218539f006433cace2d210ac
SHA1

ff971a5e22ded44ece04f5d55f4da7f506f932dc
SHA256

61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be
SHA512

829f5a76a895d4994b7db011f2a5d305bc9d5028ee7278491f120045529e6b980d8a683520a1aaf3c6d2162b983aed3db240094eeafb1bb30cfd499ca05fc028
SSDEEP

3072:nYO/ZMTFVhLzZLuU3spuXBpV/8DFvyhPLhESS0v:nYMZMBVhLzcksEXWcZLh

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

ACULA НЕ ТРОГАТЬ

C2

80.66.87.21:2500

Attributes

auth_value
49abd863c99911e0040c5266436f34cf

Extracted

Family

gozi_ifsb

Botnet

7777

C2

trackingg-protectioon.cdn4.mozilla.net

194.76.225.37

trackingg-protectioon.cdn5.mozilla.net

185.212.44.249

109.230.199.185

Attributes

base_path
/fonts/
build
250246
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  48a23aa3218539f006433cace2d210ac.exe
- Size
  
  137KB
- MD5
  
  48a23aa3218539f006433cace2d210ac
- SHA1
  
  ff971a5e22ded44ece04f5d55f4da7f506f932dc
- SHA256
  
  61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be
- SHA512
  
  829f5a76a895d4994b7db011f2a5d305bc9d5028ee7278491f120045529e6b980d8a683520a1aaf3c6d2162b983aed3db240094eeafb1bb30cfd499ca05fc028
- SSDEEP
  
  3072:nYO/ZMTFVhLzZLuU3spuXBpV/8DFvyhPLhESS0v:nYMZMBVhLzcksEXWcZLh
Score

10^/10

gozi_ifsb redline 7777 acula не трогать banker discovery infostealer spyware stealer trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

RedLine

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2