General

  • Target

    de00c4750accf516704b8c0df265c24a

  • Size

    300KB

  • Sample

    220803-wgvqfseghj

  • MD5

    de00c4750accf516704b8c0df265c24a

  • SHA1

    eddbc6019ec7ba82d3c5b4c59efe797ff1df9f75

  • SHA256

    7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

  • SHA512

    b0e6bbbdae36bd81f63dbab9296515d3a389fa6acb397476058ae202e66026ca8dc523fb35c6b7145a87d6e61e3833e396873e61e733152ccbaa39387bada96f

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      de00c4750accf516704b8c0df265c24a

    • Size

      300KB

    • MD5

      de00c4750accf516704b8c0df265c24a

    • SHA1

      eddbc6019ec7ba82d3c5b4c59efe797ff1df9f75

    • SHA256

      7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

    • SHA512

      b0e6bbbdae36bd81f63dbab9296515d3a389fa6acb397476058ae202e66026ca8dc523fb35c6b7145a87d6e61e3833e396873e61e733152ccbaa39387bada96f

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks