General

  • Target

    2cda58093f1ac8dab1702e27aa6662493263a8c80d99360bbf1d6ca60ffbb7fe

  • Size

    417KB

  • Sample

    220614-1amtgsdgbk

  • MD5

    7331d75246a6b080b0554b7999a67ab2

  • SHA1

    cf9a0f3a8c5513dd86544a2dc96d9d6c4e5a0766

  • SHA256

    2cda58093f1ac8dab1702e27aa6662493263a8c80d99360bbf1d6ca60ffbb7fe

  • SHA512

    4b3e9b2b2b069ff58be7af417db78ba245f6eb323650e94d9e44b247a81676994f2a46acf2a426cd37628e91a40bcabcad7e995f7691c0c3af1db26226b4d093

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

C2

31.184.234.74

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      2cda58093f1ac8dab1702e27aa6662493263a8c80d99360bbf1d6ca60ffbb7fe

    • Size

      417KB

    • MD5

      7331d75246a6b080b0554b7999a67ab2

    • SHA1

      cf9a0f3a8c5513dd86544a2dc96d9d6c4e5a0766

    • SHA256

      2cda58093f1ac8dab1702e27aa6662493263a8c80d99360bbf1d6ca60ffbb7fe

    • SHA512

      4b3e9b2b2b069ff58be7af417db78ba245f6eb323650e94d9e44b247a81676994f2a46acf2a426cd37628e91a40bcabcad7e995f7691c0c3af1db26226b4d093

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks