General

  • Target

    62f24e6f4c4c7.dll

  • Size

    607KB

  • Sample

    220809-pd4qmabga4

  • MD5

    62cdd734fdd2d50b1f36f16dac017061

  • SHA1

    bacbec8f116f3e5274693cf7ba6de5c83fb3d9a8

  • SHA256

    e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869

  • SHA512

    2e11dd12f87781d226824de7286237d94d3ba5e77b2c189d5a3e6418d55a4c9689e8890e2734f6476b0893253a6993dc3aca261fd11bd7d2e05760e138daa467

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.8

79.110.52.80

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

79.110.52.82

79.110.52.94

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      62f24e6f4c4c7.dll

    • Size

      607KB

    • MD5

      62cdd734fdd2d50b1f36f16dac017061

    • SHA1

      bacbec8f116f3e5274693cf7ba6de5c83fb3d9a8

    • SHA256

      e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869

    • SHA512

      2e11dd12f87781d226824de7286237d94d3ba5e77b2c189d5a3e6418d55a4c9689e8890e2734f6476b0893253a6993dc3aca261fd11bd7d2e05760e138daa467

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks