Derin Analiz — Ginzo Infostealer | Tehdit: KRITIK

Dosya Kimligi

SHA256c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
PDBGinzo.pdb
Boyut189,952 byte (PE32 GUI x86, .NET)
Entropi5.902 (packer olasili -- section adi sG'4.!$ suspicious)
Timestampfuture time (imza sahte)

Ginzo.pdb: Kimlik Onay

GINZO ONAY: Ginzo.pdb + Ginzo.exe x3 kayit -- Ginzo Infostealer ailesinin kesin tespiti!
Ginzo.pdb (PDB yolu)\nGinzo.exe (x3 referans)\n\n-- Ginzo: Python tabanlı .NET infostealer ailesi\n-- Hedef: Chrome, Firefox, Edge tarayici kimlik bilgileri\n-- Cookie stealer: hem Chromium hem Firefox SQL sorgulari mevcut\n-- AES sifreleme: encrypted_value alanlari AES-256-CBC decrypt\n-- Base64 decode: config ve payload decode icin FromBase64String

Chrome Cookie SQL Sorgusu

SELECT creation_utc,top_frame_site_key,host_key,name,value,\n  encrypted_value,path,expires_utc,is_secure,is_httponly,\n  last_access_utc,has_expires,is_persistent,priority,\n  samesite,source_scheme,source_port,is_same_party\nFROM cookies\n\n-- Hedef dosya: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies\n-- Encrypted_value: Windows DPAPI ile sifrelenmis cookie degeri\n-- Ginzo bu degerleri okur ve AES anahtari ile cozemli hale getirir\n-- Hedef: oturum token, yetkilendirme cookie, banka oturumu

Firefox Cookie SQL Sorgusu

SELECT id,originAttributes,name,value,host,path,expiry,\n  lastAccessed,creationTime,isSecure,isHttpOnly,\n  inBrowserElement,sameSite,rawSameSite,schemeMap\nFROM moz_cookies\n\n-- Hedef dosya: %APPDATA%\Mozilla\Firefox\Profiles\*.default\cookies.sqlite\n-- moz_cookies: Firefox SQLite cookie tablosu\n-- Value: Firefox cookie degerleri sifrelenmedigi icin direkt okunabilir\n-- OriginAttributes: konteyner/izolasyon atributu

Sifre Alani IOC Kaniti

timePasswordChanged\ndate_password_modified\npasswordField\nencryptedPassword\nencryptedUsername\npassword_type\nencrypted_value\npassword_value\n\n-- Bu alan adlari Ginzo'nun hedef veri tabanlarinin sutun isimleri\n-- Chrome Login Data: encrypted_value, username_value, password_value\n-- Firefox logins.json: encryptedPassword, encryptedUsername\n-- AesEngine + FromBase64String: .NET AES motoru ile sifrelenmi kayitlari coz

IOC

SHA256c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
PDBGinzo.pdb
AileGinzo Infostealer (.NET)
HedefChrome cookie (encrypted_value), Firefox cookie (moz_cookies), Chrome/Firefox saved passwords
SifrelemeAES + Base64 (AesEngine + FromBase64String)

GinzoInfostealer — Malware Profile

Ginzo .NET infostealer. Confirmed by Ginzo.pdb. Chrome cookie theft via SELECT encrypted_value FROM cookies SQL query. Firefox cookie theft via SELECT FROM moz_cookies. Saved password theft via encryptedPassword/encryptedUsername fields. AES decryption via AesEngine + FromBase64String.

Malware Type
Infostealer
Programming Language
.NET/C#
C2 Protocol
HTTP/C2
Target Systems
Kuresel

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — GinzoInfostealer
# SHA256 c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
TypeValueNote
sha256 c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
Tags
ginzoinfostealerginzoginzo-pdb-confirmed-iocchrome-cookie-sql-encrypted-value-theftfirefox-moz-cookies-sql-queryencryptedpassword-encryptedusername-field-namesaesengine-frombase64string-dotnet-aes-decryptiontimepasswordchanged-date-password-modifiedginzo-infostealer-credential-theftchromium-login-data-cookies-target