General

  • Target

    my_presentation_c1l.js

  • Size

    3.8MB

  • Sample

    200514-34hc8lc4ke

  • MD5

    763c2375aea17fffc6c0e24c2808570c

  • SHA1

    10f7b2d55a9a10902b91fb1c0e632e7db257006e

  • SHA256

    e4276d8f476bc00d0e1b946a5e4da025575753c7c1b4bbff3408f8a07461f72d

  • SHA512

    9a59f0c887368105ff7a5a329a775ff107a7e9ed306d56e4471aa4f7258b581ecc7960edb0ce89dbc411b23244fb45e561b4e2debbd71699df77467e2bd68beb

Malware Config

Targets

    • Target

      my_presentation_c1l.js

    • Size

      3.8MB

    • MD5

      763c2375aea17fffc6c0e24c2808570c

    • SHA1

      10f7b2d55a9a10902b91fb1c0e632e7db257006e

    • SHA256

      e4276d8f476bc00d0e1b946a5e4da025575753c7c1b4bbff3408f8a07461f72d

    • SHA512

      9a59f0c887368105ff7a5a329a775ff107a7e9ed306d56e4471aa4f7258b581ecc7960edb0ce89dbc411b23244fb45e561b4e2debbd71699df77467e2bd68beb

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks