General

  • Target

    3a71346426bb32b8659226c383ec23ffe2112674357dcd4008c9ddc11494b61e

  • Size

    163KB

  • Sample

    240518-y9v8ssee76

  • MD5

    c03c44286bbf239317efa05f7601416c

  • SHA1

    febbd3eb99bca8919f72a0cf693ca36b998e4e14

  • SHA256

    3a71346426bb32b8659226c383ec23ffe2112674357dcd4008c9ddc11494b61e

  • SHA512

    96df1f581970dcde8473740372f0448e63ffcf5ce6a41755a9006cd84df9e5a7f730d077ff6eb8287ff5107945a5893f6ee99fa2083d0ba29c88f6a72c7571e6

  • SSDEEP

    3072:efBXDfkC/zKRaWdVZu2pFltOrWKDBr+yJb:ep7kC/OfVZuOFLOf

Malware Config

Extracted

Family

gozi

Targets

    • Target

      3a71346426bb32b8659226c383ec23ffe2112674357dcd4008c9ddc11494b61e

    • Size

      163KB

    • MD5

      c03c44286bbf239317efa05f7601416c

    • SHA1

      febbd3eb99bca8919f72a0cf693ca36b998e4e14

    • SHA256

      3a71346426bb32b8659226c383ec23ffe2112674357dcd4008c9ddc11494b61e

    • SHA512

      96df1f581970dcde8473740372f0448e63ffcf5ce6a41755a9006cd84df9e5a7f730d077ff6eb8287ff5107945a5893f6ee99fa2083d0ba29c88f6a72c7571e6

    • SSDEEP

      3072:efBXDfkC/zKRaWdVZu2pFltOrWKDBr+yJb:ep7kC/OfVZuOFLOf

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Detects executables built or packed with MPress PE compressor

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks