General

  • Target

    2989e22f5b1a4234f4be6a8a3e42486824a4701c0e1132a93b41919104eeee8c

  • Size

    460KB

  • Sample

    220615-rc5yeacgb9

  • MD5

    819c4b0426ed253fe96fdbd9fa0f96f7

  • SHA1

    3b0a1a53ec7384bcb57437f8e396a24955130031

  • SHA256

    2989e22f5b1a4234f4be6a8a3e42486824a4701c0e1132a93b41919104eeee8c

  • SHA512

    f559947dd6662949f582d7830e09dffd3dc414469d02eb2d11d99c7ba12278928a825b87fb90e8f1df0fe598cd2cf299addf4fbbeb52f0a790db77c53c570eba

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214963

Targets

    • Target

      2989e22f5b1a4234f4be6a8a3e42486824a4701c0e1132a93b41919104eeee8c

    • Size

      460KB

    • MD5

      819c4b0426ed253fe96fdbd9fa0f96f7

    • SHA1

      3b0a1a53ec7384bcb57437f8e396a24955130031

    • SHA256

      2989e22f5b1a4234f4be6a8a3e42486824a4701c0e1132a93b41919104eeee8c

    • SHA512

      f559947dd6662949f582d7830e09dffd3dc414469d02eb2d11d99c7ba12278928a825b87fb90e8f1df0fe598cd2cf299addf4fbbeb52f0a790db77c53c570eba

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks