General

  • Target

    noarch.pdf.zip

  • Size

    54KB

  • Sample

    220215-nj9y6afffj

  • MD5

    65e36136b8d55aa0c06301142040db5e

  • SHA1

    a940739823fb6f65773ab9a5ea19d727122b8928

  • SHA256

    aef43e285b2ce7f8cc0e4f219779b14f461bf78c422f1d7d69bce17a50b9017c

  • SHA512

    2bb4b2d4a6c653bfafb52ca13bc44f3bbbe2cf069a6182c5820f60b5755db1f0cbe526ca9620770a7f87ebf8b3b658e2fd70b3a8c970c44a5687f6662b84db9a

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2022

C2

update.kaspersky.com

plunger.in

update.fortinet.com

blancs.ws

piepes.in

csite.ws

Attributes
  • base_path

    /drew/

  • build

    250224

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      noarch.pdf

    • Size

      116KB

    • MD5

      8e539148cc1cec69e938ca025d7e973e

    • SHA1

      6602b9ef993d16c33c2ca69e15e0212130ce59dd

    • SHA256

      076209217dd62413bbe4fb40f9be740a0a732f54418e378547972dcb3681922a

    • SHA512

      c960eb056c9850d1878f7cacd624938e9b4a12e6ef057ba5a1033c92a5bf00b2e7b69ae8d3f02e6d5900a5a9c2bdd202d437cef250ef0a57a00234d3c64866df

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks