General

  • Target

    Subz.rar

  • Size

    705KB

  • Sample

    240602-ctckvsgb38

  • MD5

    f0703571bafb59196a372099890a8be8

  • SHA1

    bb5358a9e54a77aab91bf1a3b47a0c675f76d2aa

  • SHA256

    ca6d4462d7f57c219043efbe84a1b6ac402c731a17cf822ca1b209cb1c0150c3

  • SHA512

    6c32f6ec2ef40d7d03966af20d382d5b6f10b1ca0a3516945ca50a970c394b04d07b7dad22ba8a52bc7b86d50f59d61ba3beed2e7d3fc416c2831906f02ce6c8

  • SSDEEP

    12288:Tu8+l+Wm099Yycps+UZMyYWzKvVNGUZOw0WsoDwuCGCq6RheXuAIxP43tZtqLg:acHuSHpshZZ/zGKUZOTW1DojEpvt0g

Malware Config

Extracted

Family

gozi

Targets

    • Target

      Subz.rar

    • Size

      705KB

    • MD5

      f0703571bafb59196a372099890a8be8

    • SHA1

      bb5358a9e54a77aab91bf1a3b47a0c675f76d2aa

    • SHA256

      ca6d4462d7f57c219043efbe84a1b6ac402c731a17cf822ca1b209cb1c0150c3

    • SHA512

      6c32f6ec2ef40d7d03966af20d382d5b6f10b1ca0a3516945ca50a970c394b04d07b7dad22ba8a52bc7b86d50f59d61ba3beed2e7d3fc416c2831906f02ce6c8

    • SSDEEP

      12288:Tu8+l+Wm099Yycps+UZMyYWzKvVNGUZOw0WsoDwuCGCq6RheXuAIxP43tZtqLg:acHuSHpshZZ/zGKUZOTW1DojEpvt0g

    Score
    3/10
    • Target

      Subz/injector_1.exe

    • Size

      6.1MB

    • MD5

      6ef4b97c3b24f3f387f4f757287097ae

    • SHA1

      12547946c8d4f50218464b29184337cbc2f4a8b6

    • SHA256

      a179d9407628e966168c8c1cffbb0c85d5551864b70ab06aa5ffa65e8a6eb66e

    • SHA512

      0469252f08301837003d8ffd90d9ecc21d43541bffe56c83dcedebf9625bac53d62f897f245a5a359e08c213686a495a62bba7ce7a08064502b283cd81b7853d

    • SSDEEP

      24576:i4U9QqMVCssGgPUh1VNn9UQ7+YymQAXDdVOaCoua71+J0fgbGSh4s3sXYX7bCiFY:iixKBTJOr7QcoCDHdIFcDgTq4GdT

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      Subz/internal.dll

    • Size

      130KB

    • MD5

      c39b1e688ff41b0ac5d3d35a98cf1f09

    • SHA1

      b68dd81764e8e33ea64ea535fcdf4da921475b7e

    • SHA256

      4c043478a2de55523492518b495252ba4e85a47901d9069fad4334bab0ed6d4c

    • SHA512

      6faffa172d19af6c079063b21ffe1778f0786e6b09e85bfebc4cf841b4ac1f51d880ff454389d5402f6bfaccdab7857be899dd888bd6730f8eb69a4aaf728845

    • SSDEEP

      1536:xh5wHMoCV0x0+4hNp87vV4DhCTF18RYsoGxuPwWhC5ZEsU5dGzwO/k5uTG6/nUj:rmMojx0tp8x4DhCTC4sUuzD/S6fUj

    Score
    1/10
    • Target

      Subz/internal.lib

    • Size

      1KB

    • MD5

      bfa76d1cb7b33cbb1e6e635a6cbae24a

    • SHA1

      a514d29d00983567020dca6c3d15d8b03a746423

    • SHA256

      81fe385f7638247412f3e3ea4930e28e423829d4be1ed3413b6a0c734d13489a

    • SHA512

      f061d86217aa7b093e5bd1fe5314f0c34a2a2fdb3fab95c6cf8d7055414e790f90bf72e4e74a6e977d4e1e4192d4918bb11abc94a999f71f1b38661bc5a2f965

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks