General

  • Target

    Gk67Vl

  • Size

    1KB

  • Sample

    240310-v72e9ahb94

  • MD5

    0961eb13ef799b1c1f2a335965f343bd

  • SHA1

    5d7ce0e0c0137d85da4d7ced88bff2bdba80ed20

  • SHA256

    8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435

  • SHA512

    554458650ceec6f091e6451ed3eb46141d98deba5cab9fc54c0b956b90939caf5d846edc6ae4d368d88a964c2259f5cf9fcadc8f7e610b30928ea65af9b5c777

Malware Config

Extracted

Family

xworm

C2

78.69.106.17:8000

Attributes
  • Install_directory

    %AppData%

  • install_file

    Update.exe

Extracted

Family

gozi

Targets

    • Target

      Gk67Vl

    • Size

      1KB

    • MD5

      0961eb13ef799b1c1f2a335965f343bd

    • SHA1

      5d7ce0e0c0137d85da4d7ced88bff2bdba80ed20

    • SHA256

      8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435

    • SHA512

      554458650ceec6f091e6451ed3eb46141d98deba5cab9fc54c0b956b90939caf5d846edc6ae4d368d88a964c2259f5cf9fcadc8f7e610b30928ea65af9b5c777

    • Detect Xworm Payload

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks