General

  • Target

    fd8a0e5e38add0cd0b2aaf40253a20c26c1181b6410b0cd74d3c851db09829ef

  • Size

    3.0MB

  • Sample

    220315-n6efrscgeq

  • MD5

    0506fbffe1c36a6a3dbb18e528a40e3c

  • SHA1

    c0b3ee8d9abe31f529a416f447fae3fe2cea910d

  • SHA256

    fd8a0e5e38add0cd0b2aaf40253a20c26c1181b6410b0cd74d3c851db09829ef

  • SHA512

    d84da5b8e436b75e083a02d10b41c6cfb8390f1515946fe8ef701e5d856f22834fd0e6711f11ccfdbffacd02fd230f925e42959eae96a2162fee0a5c52f95c71

Malware Config

Targets

    • Target

      fd8a0e5e38add0cd0b2aaf40253a20c26c1181b6410b0cd74d3c851db09829ef

    • Size

      3.0MB

    • MD5

      0506fbffe1c36a6a3dbb18e528a40e3c

    • SHA1

      c0b3ee8d9abe31f529a416f447fae3fe2cea910d

    • SHA256

      fd8a0e5e38add0cd0b2aaf40253a20c26c1181b6410b0cd74d3c851db09829ef

    • SHA512

      d84da5b8e436b75e083a02d10b41c6cfb8390f1515946fe8ef701e5d856f22834fd0e6711f11ccfdbffacd02fd230f925e42959eae96a2162fee0a5c52f95c71

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks