gozi | 112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56 | Triage

Resubmissions

25/12/2022, 16:04

221225-th4nmseg91 10

25/12/2022, 09:43

221225-lqbntsee3v 10

Sharing

General

Target

ursnif.bin
Size

332KB
Sample

221225-lqbntsee3v
MD5

a03b2c0e5af189c08c70a6532ab48300
SHA1

b4d68c7f0bc9a592f500de86e0125dd1e2a36089
SHA256

112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
SHA512

c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7
SSDEEP

6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ

Score

10^/10

gozi 3000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

C2

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

31.214.157.31

protectioon.cdn4.mozilla.net

9185.212.47.59

194.76.224.95

194.76.227.159

91.241.93.111

Attributes

base_path
/fonts/
build
250249
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

3000

C2

protectioon.cdn4.mozilla.net

194.76.224.95

194.76.227.159

91.241.93.111

31.214.157.31

9185.212.47.59

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

Attributes

base_path
/fonts/
build
250249
exe_type
worker
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  ursnif.bin
- Size
  
  332KB
- MD5
  
  a03b2c0e5af189c08c70a6532ab48300
- SHA1
  
  b4d68c7f0bc9a592f500de86e0125dd1e2a36089
- SHA256
  
  112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
- SHA512
  
  c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7
- SSDEEP
  
  6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ
Score

10^/10

gozi 3000 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi3000bankerisfbtrojan

behavioral2

gozi3000bankerisfbtrojan