General

  • Target

    disk.exe

  • Size

    11KB

  • Sample

    240309-2mwgtsdd3v

  • MD5

    edac8e253d37344d0998d9c1c32fee3f

  • SHA1

    f068cf22c92446ec0c37d682ef445f3bec1fc67b

  • SHA256

    ec5b3436eaa876208ad7931b3b3aaa14cfd91c17063542272909edadd711e454

  • SHA512

    e01d8a9bea1e00e4a0b43dbe7871605bce835f60eff60e3996b8735b7f16526aba8f4b3212882526fa62598997236237735c0324f6da4bb59900baf2ef738136

  • SSDEEP

    192:5C8JjNo/NoD33npGQPF2yd4AzbwV/zykPvbVj40w8oJ:5CONoloDnEQPF24zbw1r93o

Malware Config

Extracted

Family

gozi

Targets

    • Target

      disk.exe

    • Size

      11KB

    • MD5

      edac8e253d37344d0998d9c1c32fee3f

    • SHA1

      f068cf22c92446ec0c37d682ef445f3bec1fc67b

    • SHA256

      ec5b3436eaa876208ad7931b3b3aaa14cfd91c17063542272909edadd711e454

    • SHA512

      e01d8a9bea1e00e4a0b43dbe7871605bce835f60eff60e3996b8735b7f16526aba8f4b3212882526fa62598997236237735c0324f6da4bb59900baf2ef738136

    • SSDEEP

      192:5C8JjNo/NoD33npGQPF2yd4AzbwV/zykPvbVj40w8oJ:5CONoloDnEQPF24zbw1r93o

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks