General
-
Target
MenaceImageLogger.exe
-
Size
12KB
-
Sample
240419-ep4jwsgc35
-
MD5
01eeafb81c6626945e4374a3bfad1080
-
SHA1
2ab1b6b22d41b6aaa4ba5369bc38d5e1a8b83636
-
SHA256
93525f9c14494574b4c9d9ee7576dea13469bd661dfeefdf1f2ac9f7862ea2c8
-
SHA512
fb2528ef490e3735a280eab7b50c6bb3b97c8ab829895bc8e6e2e51141cb844a3fc1d94b364061418130ba277ee6fbd4b3ceb2b3842a40365c187925eef5a422
-
SSDEEP
192:LCgLVzUsIjEsuTIPWB8q7SJKbBJA77slYccL2hlybG8JUdtuU:LCKyEIPWB8qaqA7a5cKhoi3dtB
Malware Config
Extracted
gozi
Targets
-
-
Target
MenaceImageLogger.exe
-
Size
12KB
-
MD5
01eeafb81c6626945e4374a3bfad1080
-
SHA1
2ab1b6b22d41b6aaa4ba5369bc38d5e1a8b83636
-
SHA256
93525f9c14494574b4c9d9ee7576dea13469bd661dfeefdf1f2ac9f7862ea2c8
-
SHA512
fb2528ef490e3735a280eab7b50c6bb3b97c8ab829895bc8e6e2e51141cb844a3fc1d94b364061418130ba277ee6fbd4b3ceb2b3842a40365c187925eef5a422
-
SSDEEP
192:LCgLVzUsIjEsuTIPWB8q7SJKbBJA77slYccL2hlybG8JUdtuU:LCKyEIPWB8qaqA7a5cKhoi3dtB
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-