General
-
Target
payloads.zip
-
Size
1.2MB
-
Sample
230215-jy8x7aah43
-
MD5
e8e3bc0b2f56bfe63543aeffb06d97bb
-
SHA1
7753274b940afedb58769c4de952f44158f602e3
-
SHA256
3a5a6e8d7db817361b7126dd2f3ba2b0db254bfaf9ba12048a58b3f914737ac5
-
SHA512
373385f13f48a04b9694d55c960c795f60e41bff89ec4573722ce94aaa3a7d25c4614fe8709b5e316e252c2fd8f871351df25b6f9462e9f9598816a55a18d03c
-
SSDEEP
24576:5KStfFMvO1RRPsRMIPlJOSj4gKM2qNhdZJbX5rMDcWdqjyhWAwNB:4SttUcRl8MI3V44NnZJbprMwcWAwv
Behavioral task
behavioral1
Sample
control.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
control.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
control2.exe
Resource
win7-20221111-en
Malware Config
Extracted
gozi
Extracted
gozi
994411
renewbleenergey.ru
iujdhsndjfks.ru
94.198.54.97
gameindikdowd.ru
jhgfdlkjhaoiu.su
reggy506.ru
reggy914.ru
-
base_path
/uploaded/
-
build
250249
-
exe_type
loader
-
extension
.pct
-
server_id
50
Extracted
aurora
159.69.108.164:8081
Extracted
gozi
994411
renewbleenergey.ru
iujdhsndjfks.ru
94.198.54.97
gameindikdowd.ru
jhgfdlkjhaoiu.su
reggy506.ru
reggy914.ru
-
base_path
/uploaded/
-
build
250249
-
exe_type
worker
-
extension
.pct
-
server_id
50
Targets
-
-
Target
control.exe.bin
-
Size
37KB
-
MD5
fab96414cc834214965bfc06a1f152b0
-
SHA1
1734b62ddb614cde6f6191799e8c4494593b533c
-
SHA256
c0be2d843a58e5c8efbdeee3d287fa6432e0bf401fd7c38870b8153301a24b69
-
SHA512
959f5dcfccd8d934d5b09e92ee84e54a1fefb04c6bfa59ce60988779061d3fbf72752db9b5118f19ca334fc48b0fad0f2e0418c2dc278cbb4879b15c57eb7fb8
-
SSDEEP
768:TKbMPv5JLJyeyV34OB9bl5n+iRjn9P1avZa9Bmr1h097mI569:T4MHLLJJyt5+0zavZangX097m5
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
control2.exe.bin
-
Size
3.0MB
-
MD5
ff7f647536d4ee57ec129151e5ff71b5
-
SHA1
8eb63340b5047dabff508ce67a3eb95c22f02a37
-
SHA256
845ade5537fadbb77368349cdc51b533a6ad02e819e4b74f21186fdaed1a7ea2
-
SHA512
486df438a6f0d78260bc48572cc28054e8e7fb886e1567efe853053add52bb3f5a894e8e76a247cafdb2b8c165f3162ed3423a6d4cd1059c668a35cc786cc711
-
SSDEEP
49152:TNX/kxUhAnhP/4G2imMLb6cEPiITRf+EGg7ddjzaII5oTk6k1oFW:Tt/cqAhPpJLucQjFTPw
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-