Overview

overview

10

Static

static

1

LGServer.bat

windows7-x64

1

LGServer.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LGServer.bat

  • Size

    252KB

  • Sample

    240424-zlplsahc9z

  • MD5

    8aa9192ef2e6f6cfa7fbf770d7878b8c

  • SHA1

    f2db70bebe8cc92348d95e2c6667e3e2bda3cf7b

  • SHA256

    6fd1b7bf74c09c27153634670caa537acb4aa6d834aedae7dffc5d77f161b0a3

  • SHA512

    8408feda79bfcc0a57f9b4e197cd2bffef91178a2a191817ac82e22b5fe8d85b28248c2ca3ed653659619004c59d0bc1e379c8a4e2cbb40e36b05f2ae8551742

  • SSDEEP

    6144:DXtO31+JiClvhGIp7ZOWLx5EV4o77ZAr9kGkn:TBvMeV3LxODlAJkGkn

Score
10/10
gozinjratchopxbankerisfbspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Chopx

C2

127.0.0.1:5552

Mutex

d6bfbefac0528ec6983bd8e0f00508f2

Attributes
  • reg_key

    d6bfbefac0528ec6983bd8e0f00508f2

  • splitter

    |'|'|

Extracted

Family

gozi

Targets

    • Target

      LGServer.bat

    • Size

      252KB

    • MD5

      8aa9192ef2e6f6cfa7fbf770d7878b8c

    • SHA1

      f2db70bebe8cc92348d95e2c6667e3e2bda3cf7b

    • SHA256

      6fd1b7bf74c09c27153634670caa537acb4aa6d834aedae7dffc5d77f161b0a3

    • SHA512

      8408feda79bfcc0a57f9b4e197cd2bffef91178a2a191817ac82e22b5fe8d85b28248c2ca3ed653659619004c59d0bc1e379c8a4e2cbb40e36b05f2ae8551742

    • SSDEEP

      6144:DXtO31+JiClvhGIp7ZOWLx5EV4o77ZAr9kGkn:TBvMeV3LxODlAJkGkn

    Score
    10/10
    gozinjratchopxbankerisfbspywarestealertrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks