Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781

  • Size

    243KB

  • Sample

    221127-xpk2nabd43

  • MD5

    c2db310b19a07816183638816938eb5d

  • SHA1

    ea5d7cfd5d278f019a77b99cfac9a8e0709d591e

  • SHA256

    500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781

  • SHA512

    54cd7c8c5b100e222dd53f338f6f4b8d2fb1fc55db36e848288881b1b5e4ad8200b0cc45d2d36f54bff9faff55e4d49a54a17b866687d2905789a20375eaf772

  • SSDEEP

    6144:x4y6j8ncpnrKlEtSfTKfRn/kXfMbpuUW:uVAcpnulEEfWfR/YMbp

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes
  • exe_type

    worker

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781

    • Size

      243KB

    • MD5

      c2db310b19a07816183638816938eb5d

    • SHA1

      ea5d7cfd5d278f019a77b99cfac9a8e0709d591e

    • SHA256

      500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781

    • SHA512

      54cd7c8c5b100e222dd53f338f6f4b8d2fb1fc55db36e848288881b1b5e4ad8200b0cc45d2d36f54bff9faff55e4d49a54a17b866687d2905789a20375eaf772

    • SSDEEP

      6144:x4y6j8ncpnrKlEtSfTKfRn/kXfMbpuUW:uVAcpnulEEfWfR/YMbp

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks