General

  • Target

    a9102ac3809f222b186591c2b6663f13d776be8331d642b82964fd8ad08b5012

  • Size

    163KB

  • Sample

    240522-fmf69acf28

  • MD5

    1a3c903a62627632fdb80bbabeea8e49

  • SHA1

    847712809c4fc60e79062a6029c841a8121ca195

  • SHA256

    a9102ac3809f222b186591c2b6663f13d776be8331d642b82964fd8ad08b5012

  • SHA512

    0b48396b731652fc6ece0aee9a80ecfd78f9d42e95f1ed409d19b9e4e4ff021851093f42485abebe230284ffa5f0d92641bccd29eba6677a0668812c9d183589

  • SSDEEP

    1536:PepYe1vLk2hocKcUGOYyRlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:mptpLkDccYyltOrWKDBr+yJb

Malware Config

Extracted

Family

gozi

Targets

    • Target

      a9102ac3809f222b186591c2b6663f13d776be8331d642b82964fd8ad08b5012

    • Size

      163KB

    • MD5

      1a3c903a62627632fdb80bbabeea8e49

    • SHA1

      847712809c4fc60e79062a6029c841a8121ca195

    • SHA256

      a9102ac3809f222b186591c2b6663f13d776be8331d642b82964fd8ad08b5012

    • SHA512

      0b48396b731652fc6ece0aee9a80ecfd78f9d42e95f1ed409d19b9e4e4ff021851093f42485abebe230284ffa5f0d92641bccd29eba6677a0668812c9d183589

    • SSDEEP

      1536:PepYe1vLk2hocKcUGOYyRlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:mptpLkDccYyltOrWKDBr+yJb

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Detects executables built or packed with MPress PE compressor

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks