Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Enigma.exe

  • Size

    1.2MB

  • Sample

    240416-zwq8cscf28

  • MD5

    d0f80a39b6f0a3beac677c6846c3b41a

  • SHA1

    d7b1f3b1b53fa474247f9d4e63b959aa902866a4

  • SHA256

    3ef10a8b44eb13fc45d40ced592fe9f1a83e6b021b3681da61f7cce688304047

  • SHA512

    38cf9347f60cfa8a700f040e647deaac3309db71919b508ef7bf82f39b3497a5124413cdaae2ddc522200b23ab4c832f7c6ba72e673c8496ee8a36326c889270

  • SSDEEP

    24576:3stMPfK4jgsfALDEx/AoO0RwqvpVQqblqJRYu/UZfh+n6A6qtFa:3stb+Jlp3gJerIn6ApF

Malware Config

Extracted

Family

gozi

Targets

    • Target

      Enigma.exe

    • Size

      1.2MB

    • MD5

      d0f80a39b6f0a3beac677c6846c3b41a

    • SHA1

      d7b1f3b1b53fa474247f9d4e63b959aa902866a4

    • SHA256

      3ef10a8b44eb13fc45d40ced592fe9f1a83e6b021b3681da61f7cce688304047

    • SHA512

      38cf9347f60cfa8a700f040e647deaac3309db71919b508ef7bf82f39b3497a5124413cdaae2ddc522200b23ab4c832f7c6ba72e673c8496ee8a36326c889270

    • SSDEEP

      24576:3stMPfK4jgsfALDEx/AoO0RwqvpVQqblqJRYu/UZfh+n6A6qtFa:3stb+Jlp3gJerIn6ApF

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks