General

  • Target

    5BDF181C629182A48CE6810CD0987FB0C1242DED4C9E7.exe

  • Size

    200KB

  • Sample

    230307-tf7yaaab3s

  • MD5

    03cb70c1e24b4ea666d9aa2c935e109e

  • SHA1

    76700221ed0f2ec68b07d0855ad046ab46e9bafb

  • SHA256

    5bdf181c629182a48ce6810cd0987fb0c1242ded4c9e73501df59481dbe6ec3a

  • SHA512

    41cc824f4e5c035f1d696b63bdcfeb097ed0566db66997fef929680fdc0aefa9c040ced879a8eb82dceb6102fad58b956d74560d2078d93c43003091f4bf140b

  • SSDEEP

    3072:taHIi1V71HVwJpXoNER6BuAurHMQlshQuQiFrtjrXf+gt:0GJp4i6isQa2uhFrtHW

Malware Config

Extracted

Family

gozi

Targets

    • Target

      5BDF181C629182A48CE6810CD0987FB0C1242DED4C9E7.exe

    • Size

      200KB

    • MD5

      03cb70c1e24b4ea666d9aa2c935e109e

    • SHA1

      76700221ed0f2ec68b07d0855ad046ab46e9bafb

    • SHA256

      5bdf181c629182a48ce6810cd0987fb0c1242ded4c9e73501df59481dbe6ec3a

    • SHA512

      41cc824f4e5c035f1d696b63bdcfeb097ed0566db66997fef929680fdc0aefa9c040ced879a8eb82dceb6102fad58b956d74560d2078d93c43003091f4bf140b

    • SSDEEP

      3072:taHIi1V71HVwJpXoNER6BuAurHMQlshQuQiFrtjrXf+gt:0GJp4i6isQa2uhFrtHW

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks