General

  • Target

    gen_build.zip

  • Size

    8KB

  • Sample

    240311-wmp26aaa7t

  • MD5

    41f614f1f978c645982238f03983d251

  • SHA1

    dfd8e4f3d3d934de01e423b3f0393aeb4ebd81c7

  • SHA256

    550f5faa4bdd6e5e435a19b6d77af1eace8750c5a9372d71f390454a949215f0

  • SHA512

    f27d0869c705e5469e0226a22511ee71847367b6eba672208b47111e247c606e1f19d95bc85c496ab919d14f7d89f97947505937fd6dee693e7065fe94ba3b7d

  • SSDEEP

    192:463e4x6I4YpoaB6dKe+Cfqn+nNN/e/e290nF6KQK:40e4x6UoLdKVFce2290FhQK

Malware Config

Extracted

Family

gozi

Targets

    • Target

      gen.exe

    • Size

      11KB

    • MD5

      20d5e0346a1c60e73d2eb908e0e9a85f

    • SHA1

      4fc58d46bab4d6dd3c5b0ab9dc32ec919cd10d0a

    • SHA256

      0a6d713567f1e7e03058632a4a06fb658b44b1a5630353c705d0f9cbce221ed7

    • SHA512

      c8342ea7b51311286aec1f6d83b338e495255def310b4e7cbd547f91d70bdc6265daa9d74198890f8fa005f3c653e98f026258401afe4edffcebc0dcb2ecfd50

    • SSDEEP

      192:5mC8Jjn0kGUCbaNRn+Nz7y7VIh5ULYELbl3pBxANi:5mCO055bKF+NPiVekjblLxg

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks