General

  • Target

    c9d954b3f1c512e6804fd8f5637b58b6

  • Size

    234KB

  • Sample

    201125-v3czamecp6

  • MD5

    c9d954b3f1c512e6804fd8f5637b58b6

  • SHA1

    b452040d8072117ddbe1adf9e1eab5e4bdb150bd

  • SHA256

    d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

  • SHA512

    a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

Malware Config

Targets

    • Target

      c9d954b3f1c512e6804fd8f5637b58b6

    • Size

      234KB

    • MD5

      c9d954b3f1c512e6804fd8f5637b58b6

    • SHA1

      b452040d8072117ddbe1adf9e1eab5e4bdb150bd

    • SHA256

      d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

    • SHA512

      a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

2
T1018

Process Discovery

1
T1057

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks