General

  • Target

    98b082b4d65dfe4ee5b227575d1c08ef.png

  • Size

    215KB

  • Sample

    220322-lnvc6aehb5

  • MD5

    98b082b4d65dfe4ee5b227575d1c08ef

  • SHA1

    21d9d7f91bdab90a3900832404be3bab06e82c03

  • SHA256

    e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e

  • SHA512

    e7e46e85699716dec1aedce1dbc7e995f5507b1de137c77110225e162ac2ffcfeedd50f2e5292302043f445ef0eaf7fc551edcf43a195d815c2c1f15469dc8c1

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

Attributes
  • base_path

    /images/

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      98b082b4d65dfe4ee5b227575d1c08ef.png

    • Size

      215KB

    • MD5

      98b082b4d65dfe4ee5b227575d1c08ef

    • SHA1

      21d9d7f91bdab90a3900832404be3bab06e82c03

    • SHA256

      e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e

    • SHA512

      e7e46e85699716dec1aedce1dbc7e995f5507b1de137c77110225e162ac2ffcfeedd50f2e5292302043f445ef0eaf7fc551edcf43a195d815c2c1f15469dc8c1

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • UAC bypass

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks