General

  • Target

    53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457

  • Size

    1.1MB

  • Sample

    221027-drrgnsadc8

  • MD5

    879d9a2c75ee83443a0a913f5dc71b5c

  • SHA1

    41c124f8b5341773046ac9c6b5924b7919e0ac15

  • SHA256

    53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457

  • SHA512

    1f84756f6f30b6bff2cf3d5796549c96672e6fe4b6ebaa55f3b2d2f8e5ea034dd8086d5985f640f2c37b58eac0af089ab48ae5a730403e86b0939923b2f3c69a

  • SSDEEP

    24576:GmZ5G43EgTDD55vd9lTTwTJvLqWZlzSq05sRlKi9AwvjUkSSX:jZ5rEgPfd9lTmvLq2lY0l+0X

Malware Config

Targets

    • Target

      53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457

    • Size

      1.1MB

    • MD5

      879d9a2c75ee83443a0a913f5dc71b5c

    • SHA1

      41c124f8b5341773046ac9c6b5924b7919e0ac15

    • SHA256

      53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457

    • SHA512

      1f84756f6f30b6bff2cf3d5796549c96672e6fe4b6ebaa55f3b2d2f8e5ea034dd8086d5985f640f2c37b58eac0af089ab48ae5a730403e86b0939923b2f3c69a

    • SSDEEP

      24576:GmZ5G43EgTDD55vd9lTTwTJvLqWZlzSq05sRlKi9AwvjUkSSX:jZ5rEgPfd9lTmvLq2lY0l+0X

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Installed Components in the registry

    • Deletes itself

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Process Discovery

1
T1057

Collection

Email Collection

2
T1114

Tasks