Derin Analiz — Ginzo Infostealer | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04 |
|---|---|
| PDB | Ginzo.pdb |
| Boyut | 189,952 byte (PE32 GUI x86, .NET) |
| Entropi | 5.902 (packer olasili -- section adi sG'4.!$ suspicious) |
| Timestamp | future time (imza sahte) |
Ginzo.pdb: Kimlik Onay
GINZO ONAY: Ginzo.pdb + Ginzo.exe x3 kayit -- Ginzo Infostealer ailesinin kesin tespiti!
Ginzo.pdb (PDB yolu)\nGinzo.exe (x3 referans)\n\n-- Ginzo: Python tabanlı .NET infostealer ailesi\n-- Hedef: Chrome, Firefox, Edge tarayici kimlik bilgileri\n-- Cookie stealer: hem Chromium hem Firefox SQL sorgulari mevcut\n-- AES sifreleme: encrypted_value alanlari AES-256-CBC decrypt\n-- Base64 decode: config ve payload decode icin FromBase64String
Chrome Cookie SQL Sorgusu
SELECT creation_utc,top_frame_site_key,host_key,name,value,\n encrypted_value,path,expires_utc,is_secure,is_httponly,\n last_access_utc,has_expires,is_persistent,priority,\n samesite,source_scheme,source_port,is_same_party\nFROM cookies\n\n-- Hedef dosya: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies\n-- Encrypted_value: Windows DPAPI ile sifrelenmis cookie degeri\n-- Ginzo bu degerleri okur ve AES anahtari ile cozemli hale getirir\n-- Hedef: oturum token, yetkilendirme cookie, banka oturumu
Firefox Cookie SQL Sorgusu
SELECT id,originAttributes,name,value,host,path,expiry,\n lastAccessed,creationTime,isSecure,isHttpOnly,\n inBrowserElement,sameSite,rawSameSite,schemeMap\nFROM moz_cookies\n\n-- Hedef dosya: %APPDATA%\Mozilla\Firefox\Profiles\*.default\cookies.sqlite\n-- moz_cookies: Firefox SQLite cookie tablosu\n-- Value: Firefox cookie degerleri sifrelenmedigi icin direkt okunabilir\n-- OriginAttributes: konteyner/izolasyon atributu
Sifre Alani IOC Kaniti
timePasswordChanged\ndate_password_modified\npasswordField\nencryptedPassword\nencryptedUsername\npassword_type\nencrypted_value\npassword_value\n\n-- Bu alan adlari Ginzo'nun hedef veri tabanlarinin sutun isimleri\n-- Chrome Login Data: encrypted_value, username_value, password_value\n-- Firefox logins.json: encryptedPassword, encryptedUsername\n-- AesEngine + FromBase64String: .NET AES motoru ile sifrelenmi kayitlari coz
IOC
| SHA256 | c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04 |
|---|---|
| PDB | Ginzo.pdb |
| Aile | Ginzo Infostealer (.NET) |
| Hedef | Chrome cookie (encrypted_value), Firefox cookie (moz_cookies), Chrome/Firefox saved passwords |
| Sifreleme | AES + Base64 (AesEngine + FromBase64String) |
GinzoInfostealer — Malware Profile
Ginzo .NET infostealer. Confirmed by Ginzo.pdb. Chrome cookie theft via SELECT encrypted_value FROM cookies SQL query. Firefox cookie theft via SELECT FROM moz_cookies. Saved password theft via encryptedPassword/encryptedUsername fields. AES decryption via AesEngine + FromBase64String.
Malware Type
Infostealer
Programming Language
.NET/C#
C2 Protocol
HTTP/C2
Target Systems
Kuresel
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (1 indicators)
IOC — GinzoInfostealer
# SHA256
c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
| Type | Value | Note |
|---|---|---|
| sha256 | c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04 |