General

  • Target

    2906b3607e2102cce5f0117d408de0d156cd09c5999d43f42a0d59dfae20b97e

  • Size

    259KB

  • Sample

    220615-s45x6adfal

  • MD5

    2c77f29a2d1f489fb705ad1e3a9a15ad

  • SHA1

    cde9b78eccbaef5a8534afa726b392e761a6c759

  • SHA256

    2906b3607e2102cce5f0117d408de0d156cd09c5999d43f42a0d59dfae20b97e

  • SHA512

    8e17806d387abb720f9b42de5c634ec368bfd0867c09ba989eb386b392a331fac6def852c2c0ef25abd62420e9f90a1ae80e471d839efb84aa2a49ea88c4b956

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1004

C2

alefistacorm.ru

kashainterest.ru

Attributes
  • exe_type

    worker

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      2906b3607e2102cce5f0117d408de0d156cd09c5999d43f42a0d59dfae20b97e

    • Size

      259KB

    • MD5

      2c77f29a2d1f489fb705ad1e3a9a15ad

    • SHA1

      cde9b78eccbaef5a8534afa726b392e761a6c759

    • SHA256

      2906b3607e2102cce5f0117d408de0d156cd09c5999d43f42a0d59dfae20b97e

    • SHA512

      8e17806d387abb720f9b42de5c634ec368bfd0867c09ba989eb386b392a331fac6def852c2c0ef25abd62420e9f90a1ae80e471d839efb84aa2a49ea88c4b956

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks