General

  • Target

    FreeRobuxv1_build.zip

  • Size

    9KB

  • Sample

    240312-yel2mshf8y

  • MD5

    2e2d6a87221b1a165c7f42bc150205f2

  • SHA1

    9c2a38609bf03357e923e2276314d62ed08afc0e

  • SHA256

    973d738d0cf9a4f656813a19746da90253243730d94a3b7b520d1f7ad0d51b7d

  • SHA512

    2dd284f8a6afb58e62b9069adda57ab90db9cc58840c87bc6303066be90bbec88ef5d96bf188279c3212c926b4c3c0f6be684a07e4fad9bcb1979955b877f28d

  • SSDEEP

    192:1Ny9eN53ywSK9vFrCVG1lXBGSwB5IcOhYknCIFNWbVwE1MRW8JFaS4v9:T8MYw/qGfXXwBChnjgODJFa9

Malware Config

Extracted

Family

gozi

Targets

    • Target

      FreeRobuxv1.exe

    • Size

      12KB

    • MD5

      b860036b6798a377033c3d6409935e91

    • SHA1

      1c5ce68e70409e386908b42d8c80c673a8e5745e

    • SHA256

      057b180354970eeecf9d506ab324aac433794567581cbc969e20b9d000bb64fc

    • SHA512

      084e47ac691e92098df131beba81762c8006910ec6528e66bb274babe0aa9bd78b0273fbab08aff5e842a12281f299c43f51527a70cf06e4cfac8976a254d85f

    • SSDEEP

      192:yXz4aPmoCP8ZWfiB0kE/Xx/Sl2DHnJfriSGUg8Jl0w:yXBO8ZWfiB0TXxKlk3GUgi5

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks