General

  • Target

    30927196831357c7106b547ded1c8680894ea74dfdd79a0b359d5b11f0a26034

  • Size

    7.8MB

  • Sample

    220326-rmpzyadfh5

  • MD5

    5700a0f42b0da5811741ce83b57ca2d8

  • SHA1

    8ce1401455ea7857b7727876f912897a184925c8

  • SHA256

    30927196831357c7106b547ded1c8680894ea74dfdd79a0b359d5b11f0a26034

  • SHA512

    c5109fc2d9e81f1c9e445c4d9e43d7ccc41b2abfe5f5e6c11d69ad28d0ae645331eb47c362c10cf338627c4ae1571f39b6a9894594096ae8976f593798b5e2aa

Malware Config

Targets

    • Target

      30927196831357c7106b547ded1c8680894ea74dfdd79a0b359d5b11f0a26034

    • Size

      7.8MB

    • MD5

      5700a0f42b0da5811741ce83b57ca2d8

    • SHA1

      8ce1401455ea7857b7727876f912897a184925c8

    • SHA256

      30927196831357c7106b547ded1c8680894ea74dfdd79a0b359d5b11f0a26034

    • SHA512

      c5109fc2d9e81f1c9e445c4d9e43d7ccc41b2abfe5f5e6c11d69ad28d0ae645331eb47c362c10cf338627c4ae1571f39b6a9894594096ae8976f593798b5e2aa

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • UAC bypass

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks