General

  • Target

    TechnicalFreeWoofer.exe

  • Size

    14KB

  • Sample

    240303-tgr88adc42

  • MD5

    fe93af586c138d3cfa13cee1361380ba

  • SHA1

    09059ef2b2656514a25abe01f63f8604d8108287

  • SHA256

    d05d1bb76fdf811f988e61f21e73fdb0090064b9df79c8466b5d28b0fdcef1cf

  • SHA512

    a4759f443c103c552fd228a034d72f454e952a138272f0deb81ff131ac9b021212ea889150534f75164e6171edda01c640a5ef4035f06273dde17a4c900f462d

  • SSDEEP

    384:krsPzmIJ3MGNPS0952hqw39MMEptYcFwVc03K:krsrmw3q09Uhqw39MMAtYcFwVc6K

Malware Config

Extracted

Family

gozi

Targets

    • Target

      TechnicalFreeWoofer.exe

    • Size

      14KB

    • MD5

      fe93af586c138d3cfa13cee1361380ba

    • SHA1

      09059ef2b2656514a25abe01f63f8604d8108287

    • SHA256

      d05d1bb76fdf811f988e61f21e73fdb0090064b9df79c8466b5d28b0fdcef1cf

    • SHA512

      a4759f443c103c552fd228a034d72f454e952a138272f0deb81ff131ac9b021212ea889150534f75164e6171edda01c640a5ef4035f06273dde17a4c900f462d

    • SSDEEP

      384:krsPzmIJ3MGNPS0952hqw39MMEptYcFwVc03K:krsrmw3q09Uhqw39MMAtYcFwVc6K

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks