General

  • Target

    thegreatestexploit.exe

  • Size

    11KB

  • Sample

    240602-m1636abg89

  • MD5

    b255f2988558b9dbc3cc5a9814803364

  • SHA1

    6cab200559f340364b3a3cea3cf321e7d32cec97

  • SHA256

    f2a05b8bcb63042b9af36a0aa52bca8ae9de5664edc6bb1a46499ab9516e4ae5

  • SHA512

    5bcf60d73069c15087cce591b4f3bf125b3649528758068859c6ef510b811c336962afdc20ee29a805a90fd7eff98ae7b97062035666144ae0e78d19796773d3

  • SSDEEP

    192:598Jf9mV2Xm51Mpa0kGea0ICntHvl7QYrm/sxn8Ft1eSwcU1r:59AoMpauL0/vhQYKUxsjJd8

Malware Config

Extracted

Family

gozi

Targets

    • Target

      thegreatestexploit.exe

    • Size

      11KB

    • MD5

      b255f2988558b9dbc3cc5a9814803364

    • SHA1

      6cab200559f340364b3a3cea3cf321e7d32cec97

    • SHA256

      f2a05b8bcb63042b9af36a0aa52bca8ae9de5664edc6bb1a46499ab9516e4ae5

    • SHA512

      5bcf60d73069c15087cce591b4f3bf125b3649528758068859c6ef510b811c336962afdc20ee29a805a90fd7eff98ae7b97062035666144ae0e78d19796773d3

    • SSDEEP

      192:598Jf9mV2Xm51Mpa0kGea0ICntHvl7QYrm/sxn8Ft1eSwcU1r:59AoMpauL0/vhQYKUxsjJd8

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks