General

  • Target

    62418993a4f7f.dll

  • Size

    528KB

  • Sample

    220328-l8g9bshdh8

  • MD5

    bb9dc919d8be2b646f5e7625b92876fc

  • SHA1

    e2b555b256a9f827f68dc6e71942a09d0d7e69ff

  • SHA256

    da266d429a932be228984ed5b0a0b030e5c33493bd6ef6a90bce9502eec38473

  • SHA512

    82f08e0c882dbe6be2bc745f5da4e148637ef5bf8851cdc5360fa0c7d82ff0ab372c565af9e36f32a20bd4533a704be30634da059075b4a014c58090604b176e

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

46.30.43.44

185.154.52.213

185.154.53.38

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

185.154.53.58

cabrioxmdes.at

hopexmder.net

185.154.53.49

193.56.146.189

Attributes
  • base_path

    /images/

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      62418993a4f7f.dll

    • Size

      528KB

    • MD5

      bb9dc919d8be2b646f5e7625b92876fc

    • SHA1

      e2b555b256a9f827f68dc6e71942a09d0d7e69ff

    • SHA256

      da266d429a932be228984ed5b0a0b030e5c33493bd6ef6a90bce9502eec38473

    • SHA512

      82f08e0c882dbe6be2bc745f5da4e148637ef5bf8851cdc5360fa0c7d82ff0ab372c565af9e36f32a20bd4533a704be30634da059075b4a014c58090604b176e

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks