General

  • Target

    6241776210940.rar

  • Size

    496KB

  • Sample

    220328-k1k5kshcb6

  • MD5

    56af6074a589ed0fd684f0fd097887d4

  • SHA1

    6f3669d58b2744e12a3aa94f9782f6965efbf344

  • SHA256

    1a16288bf4484b2a6692dcb7244942d7bea94ce3597c175910f91cc2b2613365

  • SHA512

    afa70c982215e80596fbb2e4a5a39f765e61b2080946c178aebbe4d165ed9d8aa668715854fa0056d9bd3dda40e9eb0049839345b0d6c3f5400dcb924990b725

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

46.30.43.44

185.154.52.213

185.154.53.38

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

185.154.53.58

cabrioxmdes.at

hopexmder.net

185.154.53.49

193.56.146.189

Attributes
  • base_path

    /images/

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      6241776210940.rar

    • Size

      496KB

    • MD5

      56af6074a589ed0fd684f0fd097887d4

    • SHA1

      6f3669d58b2744e12a3aa94f9782f6965efbf344

    • SHA256

      1a16288bf4484b2a6692dcb7244942d7bea94ce3597c175910f91cc2b2613365

    • SHA512

      afa70c982215e80596fbb2e4a5a39f765e61b2080946c178aebbe4d165ed9d8aa668715854fa0056d9bd3dda40e9eb0049839345b0d6c3f5400dcb924990b725

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks