General

  • Target

    5b1141dfb2a6554a478d47d9e6fadd663b2a67f86d0d4aaa476f4d7cc6f0ebf9

  • Size

    424KB

  • Sample

    220802-bk29gscgg3

  • MD5

    4d3969a62ce0f6d3d5b417c670f866ea

  • SHA1

    1dc8ebae020c1c859eb1f75a1cf500d4caac4c5e

  • SHA256

    5b1141dfb2a6554a478d47d9e6fadd663b2a67f86d0d4aaa476f4d7cc6f0ebf9

  • SHA512

    f1c6c616a2483c3b20c1eada734bc02a067cbcce5f032431f227d70b06851b0f2e024526bbe39624510bfa164bc8d8dd1eac0c45009902cc207f1a09a1688614

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1092

C2

awd.byfaithchurch.org

Attributes
  • build

    215797

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      5b1141dfb2a6554a478d47d9e6fadd663b2a67f86d0d4aaa476f4d7cc6f0ebf9

    • Size

      424KB

    • MD5

      4d3969a62ce0f6d3d5b417c670f866ea

    • SHA1

      1dc8ebae020c1c859eb1f75a1cf500d4caac4c5e

    • SHA256

      5b1141dfb2a6554a478d47d9e6fadd663b2a67f86d0d4aaa476f4d7cc6f0ebf9

    • SHA512

      f1c6c616a2483c3b20c1eada734bc02a067cbcce5f032431f227d70b06851b0f2e024526bbe39624510bfa164bc8d8dd1eac0c45009902cc207f1a09a1688614

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks