General

  • Target

    details.06.21.doc

  • Size

    45KB

  • Sample

    210610-267spsyg7s

  • MD5

    eb4ad3308c0c6623d8ac3093d7479f5a

  • SHA1

    143a4095d8e736e19078391a922a3835803bd431

  • SHA256

    a88169c57e59fdb8fd9127660b5a8c48cdc256ad18d843ab8971cc312171cf44

  • SHA512

    679c40e8778ee66e6a2c06e81028fe463f97ddbaf45572ea1f0056154b3d414f0ccbe6cac11b926da7712370478e18e310ed0c94a755b17f13f819151688990c

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Targets

    • Target

      details.06.21.doc

    • Size

      45KB

    • MD5

      eb4ad3308c0c6623d8ac3093d7479f5a

    • SHA1

      143a4095d8e736e19078391a922a3835803bd431

    • SHA256

      a88169c57e59fdb8fd9127660b5a8c48cdc256ad18d843ab8971cc312171cf44

    • SHA512

      679c40e8778ee66e6a2c06e81028fe463f97ddbaf45572ea1f0056154b3d414f0ccbe6cac11b926da7712370478e18e310ed0c94a755b17f13f819151688990c

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks