General

  • Target

    8fcfb8f38d8607c57f08f9b39139065f

  • Size

    300KB

  • Sample

    220803-m1nltabdel

  • MD5

    8fcfb8f38d8607c57f08f9b39139065f

  • SHA1

    805bb719009145dcc32b5361abf5bb4d91015dbb

  • SHA256

    ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d

  • SHA512

    6d02b5338e387185520c45a45434bf5e949fdfd66d484459c3e817b76fbfc50621d0fbd5e4e5f3618f02ea257b8d73a53637b7bc791cc40300e837e2de72007f

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      8fcfb8f38d8607c57f08f9b39139065f

    • Size

      300KB

    • MD5

      8fcfb8f38d8607c57f08f9b39139065f

    • SHA1

      805bb719009145dcc32b5361abf5bb4d91015dbb

    • SHA256

      ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d

    • SHA512

      6d02b5338e387185520c45a45434bf5e949fdfd66d484459c3e817b76fbfc50621d0fbd5e4e5f3618f02ea257b8d73a53637b7bc791cc40300e837e2de72007f

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks