General
-
Target
5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
-
Size
43KB
-
Sample
230604-1qbq6adh39
-
MD5
6cfc839efb84296adb7230d036656d63
-
SHA1
0a6520a252c0d0e5530db01e61337a85a35f5d1c
-
SHA256
22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd
-
SHA512
e32d608773ecb723577daea10cae59043b8f44785116842311a603d5e10132ed2a05f7ac8a57bce595c108e031dcf91dd2adff31c95ebbc9d8bded7a2de5a675
-
SSDEEP
768:AqH6jABB3QIMQr4G9DvcWjnC5x5D001EMlpXEtafscjT7u31GUOEfbG:ARATBMDSvnC57D0CFEtafFu3DS
Static task
static1
Behavioral task
behavioral1
Sample
5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
Resource
win7-20230220-en
Malware Config
Extracted
gozi
Extracted
gozi
1000
repeseparation.ru
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
-
Size
43KB
-
MD5
6cfc839efb84296adb7230d036656d63
-
SHA1
0a6520a252c0d0e5530db01e61337a85a35f5d1c
-
SHA256
22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd
-
SHA512
e32d608773ecb723577daea10cae59043b8f44785116842311a603d5e10132ed2a05f7ac8a57bce595c108e031dcf91dd2adff31c95ebbc9d8bded7a2de5a675
-
SSDEEP
768:AqH6jABB3QIMQr4G9DvcWjnC5x5D001EMlpXEtafscjT7u31GUOEfbG:ARATBMDSvnC57D0CFEtafFu3DS
-
Enumerates VirtualBox registry keys
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-