aurora | 3a5a6e8d7db817361b7126dd2f3ba2b0db254bfaf9ba12048a58b3f914737ac5

General

Target

payloads.zip
Size

1.2MB
Sample

230215-jy8x7aah43
MD5

e8e3bc0b2f56bfe63543aeffb06d97bb
SHA1

7753274b940afedb58769c4de952f44158f602e3
SHA256

3a5a6e8d7db817361b7126dd2f3ba2b0db254bfaf9ba12048a58b3f914737ac5
SHA512

373385f13f48a04b9694d55c960c795f60e41bff89ec4573722ce94aaa3a7d25c4614fe8709b5e316e252c2fd8f871351df25b6f9462e9f9598816a55a18d03c
SSDEEP

24576:5KStfFMvO1RRPsRMIPlJOSj4gKM2qNhdZJbX5rMDcWdqjyhWAwNB:4SttUcRl8MI3V44NnZJbprMwcWAwv

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

994411

C2

renewbleenergey.ru

iujdhsndjfks.ru

94.198.54.97

gameindikdowd.ru

jhgfdlkjhaoiu.su

reggy506.ru

reggy914.ru

Attributes

base_path
/uploaded/
build
250249
exe_type
loader
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

aurora

C2

159.69.108.164:8081

Extracted

Family

gozi

Botnet

994411

C2

renewbleenergey.ru

iujdhsndjfks.ru

94.198.54.97

gameindikdowd.ru

jhgfdlkjhaoiu.su

reggy506.ru

reggy914.ru

Attributes

base_path
/uploaded/
build
250249
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  control.exe.bin
- Size
  
  37KB
- MD5
  
  fab96414cc834214965bfc06a1f152b0
- SHA1
  
  1734b62ddb614cde6f6191799e8c4494593b533c
- SHA256
  
  c0be2d843a58e5c8efbdeee3d287fa6432e0bf401fd7c38870b8153301a24b69
- SHA512
  
  959f5dcfccd8d934d5b09e92ee84e54a1fefb04c6bfa59ce60988779061d3fbf72752db9b5118f19ca334fc48b0fad0f2e0418c2dc278cbb4879b15c57eb7fb8
- SSDEEP
  
  768:TKbMPv5JLJyeyV34OB9bl5n+iRjn9P1avZa9Bmr1h097mI569:T4MHLLJJyt5+0zavZangX097m5
Score

10^/10

gozi 994411 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  control2.exe.bin
- Size
  
  3.0MB
- MD5
  
  ff7f647536d4ee57ec129151e5ff71b5
- SHA1
  
  8eb63340b5047dabff508ce67a3eb95c22f02a37
- SHA256
  
  845ade5537fadbb77368349cdc51b533a6ad02e819e4b74f21186fdaed1a7ea2
- SHA512
  
  486df438a6f0d78260bc48572cc28054e8e7fb886e1567efe853053add52bb3f5a894e8e76a247cafdb2b8c165f3162ed3423a6d4cd1059c668a35cc786cc711
- SSDEEP
  
  49152:TNX/kxUhAnhP/4G2imMLb6cEPiITRf+EGg7ddjzaII5oTk6k1oFW:Tt/cqAhPpJLucQjFTPw
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral3 behavioral4