General

  • Target

    2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper

  • Size

    210KB

  • Sample

    221027-aec7qsabc8

  • MD5

    85805d82dabc0dd52887500bac553b21

  • SHA1

    d2113a557620ab04bc5d70d17196adf4d616fc46

  • SHA256

    6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886

  • SHA512

    3489b0121df37ff4da162a761de8867bab34cdf5b76a31f2987fc7303e7fa78a74fedc7d2ec780127842b0410ed2e220274164b30b177b302990bdebdac941de

  • SSDEEP

    6144:mqkjiG4DOVwfSqlFR25owgSidd3Xy441GE3UKKz1PFB:hdfDOerzRyo9rnYGKe1PFB

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

supportsstats.com/geodata/version/ip2ext

neteworkgroup.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes
  • build

    212578

  • exe_type

    worker

  • server_id

    30

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper

    • Size

      210KB

    • MD5

      85805d82dabc0dd52887500bac553b21

    • SHA1

      d2113a557620ab04bc5d70d17196adf4d616fc46

    • SHA256

      6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886

    • SHA512

      3489b0121df37ff4da162a761de8867bab34cdf5b76a31f2987fc7303e7fa78a74fedc7d2ec780127842b0410ed2e220274164b30b177b302990bdebdac941de

    • SSDEEP

      6144:mqkjiG4DOVwfSqlFR25owgSidd3Xy441GE3UKKz1PFB:hdfDOerzRyo9rnYGKe1PFB

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks