General

  • Target

    SecuriteInfo.com.Trojan.Siggen17.24708.25098.10939

  • Size

    7.7MB

  • Sample

    220321-y5lhssaadl

  • MD5

    7bf3a72a5287c6388cda810822c894a3

  • SHA1

    4c23e414457d18ceee367a19afbe0c51588c3df0

  • SHA256

    7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

  • SHA512

    014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9

Malware Config

Targets

    • Target

      SecuriteInfo.com.Trojan.Siggen17.24708.25098.10939

    • Size

      7.7MB

    • MD5

      7bf3a72a5287c6388cda810822c894a3

    • SHA1

      4c23e414457d18ceee367a19afbe0c51588c3df0

    • SHA256

      7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

    • SHA512

      014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks