General

  • Target

    208ed3ea9472bbe3eb1ee998d6e8880efaa22a548f4dc175b58ac65f74efdba1

  • Size

    488KB

  • Sample

    220612-pcmqqaback

  • MD5

    6653dc0c530660190ef929f046241233

  • SHA1

    d1b7a0df02afa111752e5b8008e6a7a2fd32abc5

  • SHA256

    208ed3ea9472bbe3eb1ee998d6e8880efaa22a548f4dc175b58ac65f74efdba1

  • SHA512

    d87c1f9fead07efd921a2bab41bec9f255bbbdfc36d10fc875e394aa374193b55eca3c80513af4085c525433be3f172e9c9aecdd188ed75e16594e7647d5c92a

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214963

Targets

    • Target

      208ed3ea9472bbe3eb1ee998d6e8880efaa22a548f4dc175b58ac65f74efdba1

    • Size

      488KB

    • MD5

      6653dc0c530660190ef929f046241233

    • SHA1

      d1b7a0df02afa111752e5b8008e6a7a2fd32abc5

    • SHA256

      208ed3ea9472bbe3eb1ee998d6e8880efaa22a548f4dc175b58ac65f74efdba1

    • SHA512

      d87c1f9fead07efd921a2bab41bec9f255bbbdfc36d10fc875e394aa374193b55eca3c80513af4085c525433be3f172e9c9aecdd188ed75e16594e7647d5c92a

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks