General

  • Target

    a692aa023f49797c868df6e5cd185d117dcc51dbf3135a690fef064bc5204fbe

  • Size

    163KB

  • Sample

    240514-a4p8lacg84

  • MD5

    98bcd401fd3e05cf78b995886ca57571

  • SHA1

    b04c54ef5638f28014c8d4aee796c4d7b2579d87

  • SHA256

    a692aa023f49797c868df6e5cd185d117dcc51dbf3135a690fef064bc5204fbe

  • SHA512

    32ef674054e104cbcdf83d9fcf86462635495b198b77825699d0b4ae68b8bfff9a89faeb3042d51d4409d6ec45612533ede38cb83ff166092c463d01ee7e0299

  • SSDEEP

    3072:yN9A/PfSEsmv5zvVeSlN8vAltOrWKDBr+yJb:yzyXScvVUvALOf

Malware Config

Extracted

Family

gozi

Targets

    • Target

      a692aa023f49797c868df6e5cd185d117dcc51dbf3135a690fef064bc5204fbe

    • Size

      163KB

    • MD5

      98bcd401fd3e05cf78b995886ca57571

    • SHA1

      b04c54ef5638f28014c8d4aee796c4d7b2579d87

    • SHA256

      a692aa023f49797c868df6e5cd185d117dcc51dbf3135a690fef064bc5204fbe

    • SHA512

      32ef674054e104cbcdf83d9fcf86462635495b198b77825699d0b4ae68b8bfff9a89faeb3042d51d4409d6ec45612533ede38cb83ff166092c463d01ee7e0299

    • SSDEEP

      3072:yN9A/PfSEsmv5zvVeSlN8vAltOrWKDBr+yJb:yzyXScvVUvALOf

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Detects executables built or packed with MPress PE compressor

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks