General

  • Target

    2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

  • Size

    6.7MB

  • Sample

    220215-r1583shcdp

  • MD5

    912f63b117272068bcb232eae2f60cf7

  • SHA1

    3cf15643219acd9799cf1b23ad60756dede4594f

  • SHA256

    2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

  • SHA512

    60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Malware Config

Targets

    • Target

      2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

    • Size

      6.7MB

    • MD5

      912f63b117272068bcb232eae2f60cf7

    • SHA1

      3cf15643219acd9799cf1b23ad60756dede4594f

    • SHA256

      2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

    • SHA512

      60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks