gozi | 8aaa6ad14089cb6cf30983ded8a0f00388fbdccd1f511fe06093b2241ebc5ded | Triage

Sharing

Copy URL Twitter E-mail

General

Target

agenzia_delle_entrate.zip
Size

39KB
Sample

230105-lrasxsbe79
MD5

e91efe32d1ba7af0e42c8d51f67b6934
SHA1

90bf2a7ef061ee0e5dc7c361b793cbce72146601
SHA256

8aaa6ad14089cb6cf30983ded8a0f00388fbdccd1f511fe06093b2241ebc5ded
SHA512

1cdd28ce3cadc6d8f6e2ddea9217346774ee753a77eb7bdbe0a7691eb3e637e55f42ebc736a7a4b6bad61c06277ffc9320878d898c80eee26b91bcb269889ef9
SSDEEP

768:K/2swZnZsB77hYdwZ6LhF7zPDqvt/7CxsJdMtDLa+jRPOgEI5m7ZSGUG:K/pw7slhdUhFPDqV/0Z5La2POPSGr

Score

10^/10

gozi 7701 banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

7701

C2

checklist.skype.com

62.173.145.223

31.41.44.105

45.89.66.58

Attributes

base_path
/drew/
build
250249
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Targets

- Target
  
  agenzia_delle_entrate/agenzia_delle_entrate.url
- Size
  
  194B
- MD5
  
  c0068547cbde15fe13b58ecb576c4bf7
- SHA1
  
  86f8247dc5c235e4117e3ca0e6b220a192124347
- SHA256
  
  d1d80208de45d907fd3a8fab28bef80b917a96ee57784bcae2cd440838e26ebd
- SHA512
  
  b71f7941177882207917c22b9d5038c021afe3e18510c90b6cc3d1ddd6985e38e73424357defaf1d469a9dcf0bc5d096d1c98db64919b6b274342ebce63ff0e4
Score

10^/10

gozi 7701 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozi7701bankerisfbtrojan