Resubmissions

14-05-2024 09:50

240514-lt4h1sah21 10

14-05-2024 09:48

240514-ls2yssbb99 10

General

  • Target

    ScorpionTool.exe

  • Size

    14.7MB

  • Sample

    240514-lt4h1sah21

  • MD5

    1fa5f0dad29dd8494a0f6ec19ae54135

  • SHA1

    377c3eea9d87f447dc8087559952675d577b5212

  • SHA256

    73fec669d22c5c4ed518a11681e8b2af2038eca843ada4be221495d683f4fe48

  • SHA512

    0a7351d3cff651e4fd4e6cb7d49850c683a5801c7d2c950a35d20bbf69f0575f8f2fee4fab6c449c2c15eb1423c23355da1799c1ff6c74f1248d32180aff6943

  • SSDEEP

    393216:Ytd45Gs7PJR6UfvxUS15iab4U4lMl4LvdPWYFbx/6IX:YtOwAR6UfvxUS1Ua8UmMlEWY33

Malware Config

Extracted

Family

gozi

Targets

    • Target

      ScorpionTool.exe

    • Size

      14.7MB

    • MD5

      1fa5f0dad29dd8494a0f6ec19ae54135

    • SHA1

      377c3eea9d87f447dc8087559952675d577b5212

    • SHA256

      73fec669d22c5c4ed518a11681e8b2af2038eca843ada4be221495d683f4fe48

    • SHA512

      0a7351d3cff651e4fd4e6cb7d49850c683a5801c7d2c950a35d20bbf69f0575f8f2fee4fab6c449c2c15eb1423c23355da1799c1ff6c74f1248d32180aff6943

    • SSDEEP

      393216:Ytd45Gs7PJR6UfvxUS15iab4U4lMl4LvdPWYFbx/6IX:YtOwAR6UfvxUS1Ua8UmMlEWY33

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks