General
-
Target
Plasmafree.exe
-
Size
16KB
-
Sample
240531-1ea1gseb3w
-
MD5
40e2ed614058109b9b93a33cb8787277
-
SHA1
503260dd9d33f949613fceef68b6143d8049d913
-
SHA256
76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f
-
SHA512
cff8562ef36ba896e546add6f303999a2b09c263ab8b6cb2b9907e3d6835c0af0aa4575639d5e3a0690f77cc8061027465db9621d2a7ecdb8d4261def16a2d28
-
SSDEEP
384:Qd3kw7ShTvn9G7851TzZfvw1+zWsptYcFwVc03K:Q7ShTy85RlfvwkDtYcFwVc6K
Static task
static1
Malware Config
Extracted
gozi
Targets
-
-
Target
Plasmafree.exe
-
Size
16KB
-
MD5
40e2ed614058109b9b93a33cb8787277
-
SHA1
503260dd9d33f949613fceef68b6143d8049d913
-
SHA256
76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f
-
SHA512
cff8562ef36ba896e546add6f303999a2b09c263ab8b6cb2b9907e3d6835c0af0aa4575639d5e3a0690f77cc8061027465db9621d2a7ecdb8d4261def16a2d28
-
SSDEEP
384:Qd3kw7ShTvn9G7851TzZfvw1+zWsptYcFwVc03K:Q7ShTy85RlfvwkDtYcFwVc6K
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-