General

  • Target

    20dee76fff8f3f55bcf4c4f24e4a891dbf6a9eca96f61d34392ff170eb380510

  • Size

    449KB

  • Sample

    220612-mfa5zsdbh5

  • MD5

    b63bff90e6a55c4a404a8a48d076de45

  • SHA1

    ffcecd29b2b85d02e83f63273ab6b7110516a242

  • SHA256

    20dee76fff8f3f55bcf4c4f24e4a891dbf6a9eca96f61d34392ff170eb380510

  • SHA512

    3ad8ec6f8af275fee086f9748ad7de6bb645759043da68d78fb544a14dd286fe55d84885cd99772eebee53c2dbe984c6d9759347136ad2d5839ee9f01a78f565

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214963

Targets

    • Target

      20dee76fff8f3f55bcf4c4f24e4a891dbf6a9eca96f61d34392ff170eb380510

    • Size

      449KB

    • MD5

      b63bff90e6a55c4a404a8a48d076de45

    • SHA1

      ffcecd29b2b85d02e83f63273ab6b7110516a242

    • SHA256

      20dee76fff8f3f55bcf4c4f24e4a891dbf6a9eca96f61d34392ff170eb380510

    • SHA512

      3ad8ec6f8af275fee086f9748ad7de6bb645759043da68d78fb544a14dd286fe55d84885cd99772eebee53c2dbe984c6d9759347136ad2d5839ee9f01a78f565

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks