General

  • Target

    Yenoscracked.exe

  • Size

    11KB

  • Sample

    240303-1bmj4shf88

  • MD5

    cf62b3fbc55c62a48a85a3d6b295b081

  • SHA1

    8b8fd603fd5c6b0811ca8eff011a313b8d6c3a2c

  • SHA256

    605552d2a7cbe2167ec7aabf803a67462a9b4f268e964bff4d01b2d45b22ac38

  • SHA512

    77d566dda5ccb97d4de3c85bf010f5940ddc36adf187fbe787304687058e9f12a3a50cd3e500cb1b45e53d70f5df269ab33ae402bc1ebdccb9dcb1cc3898aa3b

  • SSDEEP

    192:5eS8JZEU4afHwLcJMB5WR8Y4Z0YmezCjkdWmwKLOgwidJVJcLrdPUsuSvfo:5eSiEmHecuHkcZbDSXFgwmJ83vuSH

Malware Config

Extracted

Family

gozi

Targets

    • Target

      Yenoscracked.exe

    • Size

      11KB

    • MD5

      cf62b3fbc55c62a48a85a3d6b295b081

    • SHA1

      8b8fd603fd5c6b0811ca8eff011a313b8d6c3a2c

    • SHA256

      605552d2a7cbe2167ec7aabf803a67462a9b4f268e964bff4d01b2d45b22ac38

    • SHA512

      77d566dda5ccb97d4de3c85bf010f5940ddc36adf187fbe787304687058e9f12a3a50cd3e500cb1b45e53d70f5df269ab33ae402bc1ebdccb9dcb1cc3898aa3b

    • SSDEEP

      192:5eS8JZEU4afHwLcJMB5WR8Y4Z0YmezCjkdWmwKLOgwidJVJcLrdPUsuSvfo:5eSiEmHecuHkcZbDSXFgwmJ83vuSH

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks