General

  • Target

    f9d778ad3bfea174401f36a2d88851d8

  • Size

    378KB

  • Sample

    220809-pv673scac9

  • MD5

    f9d778ad3bfea174401f36a2d88851d8

  • SHA1

    fd2b30e2f029939c31c759d9fbdd5ee5242137c0

  • SHA256

    44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

  • SHA512

    046ee69e01fc2e64b3cf75ccfa9a0886ef4e6752f9d90e199c67b8cc9cfdf767d8235b3a638fc96782cea0ff1b278f8d36a2ea25c9a5a839c0c03d199de5175a

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.8

79.110.52.80

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

79.110.52.82

79.110.52.94

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      f9d778ad3bfea174401f36a2d88851d8

    • Size

      378KB

    • MD5

      f9d778ad3bfea174401f36a2d88851d8

    • SHA1

      fd2b30e2f029939c31c759d9fbdd5ee5242137c0

    • SHA256

      44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

    • SHA512

      046ee69e01fc2e64b3cf75ccfa9a0886ef4e6752f9d90e199c67b8cc9cfdf767d8235b3a638fc96782cea0ff1b278f8d36a2ea25c9a5a839c0c03d199de5175a

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks