gozi | 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda | Triage

Sharing

General

Target

7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda
Size

321KB
Sample

230208-yx1mraeg7z
MD5

1e512df0f26079e52376064f1a7ec019
SHA1

858a5465ed0f9fda9ab35945e765c44abcc4f230
SHA256

7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda
SHA512

a2877121db47e6a3694c282d25a89a4869cd0fcc45f9dae555831baf497ed5db0ee5e24bb0965b3a1869574a936bc843d350512404269fe6f6ffeef79207c29c
SSDEEP

3072:oPgQ/NddxR9DMe4Cpk3gD0ooHGiylyUIx705sXos5vsWQDiuLpp9gv:orDrDMcC3RCyUIx70uXOLiqkv

Score

10^/10

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158

Attributes

base_path
/microsoft/
build
260255
exe_type
loader
extension
.acx
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Targets

- Target
  
  7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda
- Size
  
  321KB
- MD5
  
  1e512df0f26079e52376064f1a7ec019
- SHA1
  
  858a5465ed0f9fda9ab35945e765c44abcc4f230
- SHA256
  
  7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda
- SHA512
  
  a2877121db47e6a3694c282d25a89a4869cd0fcc45f9dae555831baf497ed5db0ee5e24bb0965b3a1869574a936bc843d350512404269fe6f6ffeef79207c29c
- SSDEEP
  
  3072:oPgQ/NddxR9DMe4Cpk3gD0ooHGiylyUIx705sXos5vsWQDiuLpp9gv:orDrDMcC3RCyUIx70uXOLiqkv
Score

10^/10

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan
- Detects Smokeloader packer
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
- Executes dropped EXE
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozilaplassmokeloader1001backdoorbankerclipperisfbstealertrojan