General

  • Target

    62ea3f935563b.dll

  • Size

    300KB

  • Sample

    220803-lf232aafem

  • MD5

    614e312af0e5de7c6b9819e3a1c766d4

  • SHA1

    01e384618d8eadb244184e66e6450752ea0ceade

  • SHA256

    982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

  • SHA512

    362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      62ea3f935563b.dll

    • Size

      300KB

    • MD5

      614e312af0e5de7c6b9819e3a1c766d4

    • SHA1

      01e384618d8eadb244184e66e6450752ea0ceade

    • SHA256

      982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

    • SHA512

      362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks