Overview

overview

10

Static

static

10

4c0e67.exe

windows7-x64

10

4c0e67.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c0e67.exe

  • Size

    40KB

  • Sample

    230102-ms8xsadh87

  • MD5

    89b4b5f702481b9b218dadfce9c9853b

  • SHA1

    1999cbad156476550a0cf8207887373073466edb

  • SHA256

    b0e40dab94b05dcb01dbb9a162c8c75685b41bfdc2ce74ff2e579d84bb33fdd7

  • SHA512

    57bbb407b439a71e40a5de3c4dd1c1a71abcafb635587aa29ae624538cb74c5bed9bad4adac65855a4f6151d84a3e4cd4d7e12e4a8782b97113aa438fe1525a3

  • SSDEEP

    768:vKbMPv5JL/yWeM4CPSlWoEKCCldH24pjwg3jllNeErDqr:v4MHLL/2wPumCXnpjwgLkEw

Score
10/10
gozi20000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

C2

trackingg-protectioon.cdn4.mozilla.net

79.132.130.171

45.11.182.30

protectioon.cdn4.mozilla.net

79.132.128.228

185.189.151.61
Attributes
  • base_path

    /fonts/

  • build

    250249

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

20000

C2

trackingg-protectioon.cdn4.mozilla.net

79.132.130.171

45.11.182.30

protectioon.cdn4.mozilla.net

79.132.128.228

185.189.151.61
Attributes
  • base_path

    /fonts/

  • build

    250249

  • exe_type

    worker

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      4c0e67.exe

    • Size

      40KB

    • MD5

      89b4b5f702481b9b218dadfce9c9853b

    • SHA1

      1999cbad156476550a0cf8207887373073466edb

    • SHA256

      b0e40dab94b05dcb01dbb9a162c8c75685b41bfdc2ce74ff2e579d84bb33fdd7

    • SHA512

      57bbb407b439a71e40a5de3c4dd1c1a71abcafb635587aa29ae624538cb74c5bed9bad4adac65855a4f6151d84a3e4cd4d7e12e4a8782b97113aa438fe1525a3

    • SSDEEP

      768:vKbMPv5JL/yWeM4CPSlWoEKCCldH24pjwg3jllNeErDqr:v4MHLL/2wPumCXnpjwgLkEw

    Score
    10/10
    gozi20000bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks