Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/12/2022, 16:04

221225-th4nmseg91 10

25/12/2022, 09:43

221225-lqbntsee3v 10

General

  • Target

    ursnif.bin

  • Size

    332KB

  • Sample

    221225-lqbntsee3v

  • MD5

    a03b2c0e5af189c08c70a6532ab48300

  • SHA1

    b4d68c7f0bc9a592f500de86e0125dd1e2a36089

  • SHA256

    112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56

  • SHA512

    c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7

  • SSDEEP

    6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

C2

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

31.214.157.31

protectioon.cdn4.mozilla.net

9185.212.47.59

194.76.224.95

194.76.227.159

91.241.93.111

Attributes
  • base_path

    /fonts/

  • build

    250249

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

3000

C2

protectioon.cdn4.mozilla.net

194.76.224.95

194.76.227.159

91.241.93.111

31.214.157.31

9185.212.47.59

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

Attributes
  • base_path

    /fonts/

  • build

    250249

  • exe_type

    worker

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      ursnif.bin

    • Size

      332KB

    • MD5

      a03b2c0e5af189c08c70a6532ab48300

    • SHA1

      b4d68c7f0bc9a592f500de86e0125dd1e2a36089

    • SHA256

      112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56

    • SHA512

      c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7

    • SSDEEP

      6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks