Overview

overview

10

Static

static

3

6e352a6e96...18.exe

windows7-x64

10

6e352a6e96...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6e352a6e96db293f487d1c1996f7ca60_JaffaCakes118

  • Size

    507KB

  • Sample

    241023-lmhyqssfre

  • MD5

    6e352a6e96db293f487d1c1996f7ca60

  • SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

  • SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

  • SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

  • SSDEEP

    12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

Score
10/10
gozibankerdiscoveryisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Targets

    • Target

      6e352a6e96db293f487d1c1996f7ca60_JaffaCakes118

    • Size

      507KB

    • MD5

      6e352a6e96db293f487d1c1996f7ca60

    • SHA1

      887a357a96b9dbb428b6b776a3ec8ca8de746f18

    • SHA256

      49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

    • SHA512

      bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

    • SSDEEP

      12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

    Score
    10/10
    gozibankerdiscoveryisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks