gozi | 2ddef61f42e2b6b2adb692b88087fcfa1ca696303e9a4c1d50091f6dbf66fbbc | Triage

Sharing

General

Target

2ddef61f42e2b6b2adb692b88087fcfa1ca696303e9a4c1d50091f6dbf66fbbc
Size

822KB
Sample

230129-wcs13afh72
MD5

725d4179c9f4bea0f3c520179a736ce8
SHA1

487725491b74292aea4af56e025c68257dd6aebd
SHA256

2ddef61f42e2b6b2adb692b88087fcfa1ca696303e9a4c1d50091f6dbf66fbbc
SHA512

658f52ba818fb88c20d963048e877ad52265caa40dba5197c7ebf20d5e347be0f7fe160dcb6d74925d09315559aed6f422702aa34b91f499c78bb62889bd78a2
SSDEEP

12288:R4M/vPufq2ORdooOdSgWrdDoXiglWjw9SAcqP2W5OEhuAwc84b2mzd5x6dlGN5:RP3RdNhgWpo3UmSSIOKm2mR5xWwN5

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://news-deck.at

http://taslks.at

http://living-start.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2ddef61f42e2b6b2adb692b88087fcfa1ca696303e9a4c1d50091f6dbf66fbbc
- Size
  
  822KB
- MD5
  
  725d4179c9f4bea0f3c520179a736ce8
- SHA1
  
  487725491b74292aea4af56e025c68257dd6aebd
- SHA256
  
  2ddef61f42e2b6b2adb692b88087fcfa1ca696303e9a4c1d50091f6dbf66fbbc
- SHA512
  
  658f52ba818fb88c20d963048e877ad52265caa40dba5197c7ebf20d5e347be0f7fe160dcb6d74925d09315559aed6f422702aa34b91f499c78bb62889bd78a2
- SSDEEP
  
  12288:R4M/vPufq2ORdooOdSgWrdDoXiglWjw9SAcqP2W5OEhuAwc84b2mzd5x6dlGN5:RP3RdNhgWpo3UmSSIOKm2mR5xWwN5
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan