General

  • Target

    434.dll

  • Size

    367KB

  • Sample

    200713-mmrz59yl5x

  • MD5

    7e9c8822be0f73073ce2cc5ef5a13c96

  • SHA1

    10b2f8667db53eaf1b85a209d9b80b834425167f

  • SHA256

    bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5

  • SHA512

    120bfec74eed70dc19d7aff9ed8dc392616a6c652f4c7b3f642219c6d5203038e66cef65e67b79041b8653b65021e2402b3cfc0f3b6850afd1d13e2a03637118

Malware Config

Targets

    • Target

      434.dll

    • Size

      367KB

    • MD5

      7e9c8822be0f73073ce2cc5ef5a13c96

    • SHA1

      10b2f8667db53eaf1b85a209d9b80b834425167f

    • SHA256

      bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5

    • SHA512

      120bfec74eed70dc19d7aff9ed8dc392616a6c652f4c7b3f642219c6d5203038e66cef65e67b79041b8653b65021e2402b3cfc0f3b6850afd1d13e2a03637118

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks for installed software on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies system certificate store

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks