gozi | 00a11f7f6f468459711a2907e4dc74f7d574b37c7bc5f2b8e73e518848ff9d50 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Gennaio_url
Size

198B
Sample

230112-nqnz9sfg86
MD5

c359626e0daea8955bdbb417316c38ba
SHA1

0de679c73d0d580050e252d4aa1924920ff77d3b
SHA256

00a11f7f6f468459711a2907e4dc74f7d574b37c7bc5f2b8e73e518848ff9d50
SHA512

2ead9ffcb4eb3b878c497c370071cf283e17bb006728219507b250a60e0d6dcd629b30365074d649773086245a8086091e0cd60a60effcd97d88315e3ca66174

Score

10^/10

gozi 7704 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7704

C2

checklist.skype.com

62.173.149.202

31.41.44.158

193.0.178.157

Attributes

base_path
/drew/
build
250249
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Gennaio_url
- Size
  
  198B
- MD5
  
  c359626e0daea8955bdbb417316c38ba
- SHA1
  
  0de679c73d0d580050e252d4aa1924920ff77d3b
- SHA256
  
  00a11f7f6f468459711a2907e4dc74f7d574b37c7bc5f2b8e73e518848ff9d50
- SHA512
  
  2ead9ffcb4eb3b878c497c370071cf283e17bb006728219507b250a60e0d6dcd629b30365074d649773086245a8086091e0cd60a60effcd97d88315e3ca66174
Score

10^/10

gozi 7704 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozi7704bankerisfbpersistencetrojan