General

  • Target

    preperation.exe

  • Size

    12KB

  • Sample

    240301-ac4xnsgc2s

  • MD5

    b76a50c52e965f75d0600dca2f973575

  • SHA1

    267c6183eb27325fbf724e6f41252f5c05251c8e

  • SHA256

    7f710c8c20d1de56c385f2216ca2015e536884fde5658d7e820a4e21b6ea0fa8

  • SHA512

    fcf5e61e896ad6338d6114ef7f67880ccca9a22a9830840a4ddb98eb6ab734ef21af01eee1bcab5c527498602ccf2b366d1e3b8d021f9083b10e0d1643964a35

  • SSDEEP

    192:8ZF9I7HfMmej2H5VyrYNilz1rKG3vbouzS8e8JwhA:8Z87/MoHnyVEGTvOs

Malware Config

Extracted

Family

gozi

Targets

    • Target

      preperation.exe

    • Size

      12KB

    • MD5

      b76a50c52e965f75d0600dca2f973575

    • SHA1

      267c6183eb27325fbf724e6f41252f5c05251c8e

    • SHA256

      7f710c8c20d1de56c385f2216ca2015e536884fde5658d7e820a4e21b6ea0fa8

    • SHA512

      fcf5e61e896ad6338d6114ef7f67880ccca9a22a9830840a4ddb98eb6ab734ef21af01eee1bcab5c527498602ccf2b366d1e3b8d021f9083b10e0d1643964a35

    • SSDEEP

      192:8ZF9I7HfMmej2H5VyrYNilz1rKG3vbouzS8e8JwhA:8Z87/MoHnyVEGTvOs

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks