Overview

overview

10

Static

static

view_attach_c4h.js

windows7_x64

10

view_attach_c4h.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    view_attach_c4h.js

  • Size

    3.5MB

  • Sample

    200403-sk5d4h39qx

  • MD5

    7122e78a761f320e7951d29867bbc0d5

  • SHA1

    56a4383852b142cf03c4184d09120738479dabbc

  • SHA256

    3c88a1b460b983d2fbabc34c3c90b827b0deb17eff8cd2ad07d24210e6339537

  • SHA512

    355832eeee9ece97d5bb355dc561c29ade318487c75d56a69b70c2fb572ec6c2a495440e5ff9952e403b6a4745bf77714716aa9b2ee51a66e912b731c81d7921

Score
10/10
gozi_ifsbursnifbankerevasionspywaretrojan

Malware Config

Targets

    • Target

      view_attach_c4h.js

    • Size

      3.5MB

    • MD5

      7122e78a761f320e7951d29867bbc0d5

    • SHA1

      56a4383852b142cf03c4184d09120738479dabbc

    • SHA256

      3c88a1b460b983d2fbabc34c3c90b827b0deb17eff8cd2ad07d24210e6339537

    • SHA512

      355832eeee9ece97d5bb355dc561c29ade318487c75d56a69b70c2fb572ec6c2a495440e5ff9952e403b6a4745bf77714716aa9b2ee51a66e912b731c81d7921

    Score
    10/10
    evasiontrojanbankergozi_ifsbursnifspyware

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks