{
	"id": "41cffebb-22f9-4ff1-91b0-7b785bf13a01",
	"created_at": "2026-04-06T00:15:42.916173Z",
	"updated_at": "2026-04-10T03:20:23.542281Z",
	"deleted_at": null,
	"sha1_hash": "ec13986620980f97b6bef71aef6c440a7b20a708",
	"title": "Criminals provide Ginzo stealer for free, now it is gaining traction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34452,
	"plain_text": "Criminals provide Ginzo stealer for free, now it is gaining traction\r\nBy Karsten Hahn\r\nPublished: 2022-04-21 · Archived: 2026-04-05 20:22:44 UTC\r\nGeneral behavior\r\nGinzo stealer first downloads the following additional libraries from its C\u0026C server:\r\nNewtonsoft.Json.dll\r\nBouncyCastle.Crypto.dll\r\nSQLite.Interop.dll for x86 and x64\r\nSystem.Data.SQLite.dll\r\nDotNetZip.dll\r\nDue to improper exception handling the stealer crashes some time later if these libraries cannot be downloaded.\r\nThe stealer requests a ginzolist.txt from the C\u0026C server. This text file contains addresses of additional download\r\nlocations for executables. In our tests the file contained two entries that instruct Ginzo to download antiwm.exe[2]\r\nand generation.exe[3]. The file antivm.exe is a malicious coinminer and generation.exe is another .NET based\r\nstealer, specializing on Discord tokens. Both of these files are packed.\r\nGinzo creates a folder named GinzoFolder in %LOCALAPPDATA% (see picture below). It stores all the\r\nextracted system data there, like screenshots, credentials, cookies, telegram data, and cryptocurrency wallets. The\r\nstealer creates a file named System.txt to store generic system information, which includes the IP address,\r\noperating system, username, computername, screen resolution, graphics card, processor, RAM, launch time and\r\nthe Ginzo stealer telegram channel. The stealer also stores a datetime value in ChromeUploadTime.txt for\r\nmaking sure that the stolen data is not sent too often to the threat actor.\r\nA listing of GinzoFolder contents and contained data is in the IoC section at the bottom.\r\nSource: https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware\r\nhttps://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware"
	],
	"report_names": [
		"ginzo-free-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec13986620980f97b6bef71aef6c440a7b20a708.pdf",
		"text": "https://archive.orkl.eu/ec13986620980f97b6bef71aef6c440a7b20a708.txt",
		"img": "https://archive.orkl.eu/ec13986620980f97b6bef71aef6c440a7b20a708.jpg"
	}
}