Overview

overview

10

Static

static

1

7fa0f446c3...1b.exe

windows7-x64

10

7fa0f446c3...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9404576418.zip

  • Size

    412KB

  • Sample

    230303-vxrhasaf64

  • MD5

    64693f0c4bce7691f60dad2033a5de2e

  • SHA1

    b518665a89ad5bb2470ddcb16ffdd400499e2131

  • SHA256

    d713bd24ce7d88bad7f5723a7686daae8b26617f9f50997a50a594ce060d6f02

  • SHA512

    7b866a4edd695032b2ff2f8b8adc4c2513776df78ec66dd41a366c212af30e032f79688512522de2f01336f0bd2dc391a176f4881c0f4194aa9c6cf554681de6

  • SSDEEP

    12288:hKJ3JUxtm1EeNWN4AnThB6kWSpzQ5+a4Tr:i5GmOe+zntTZn

Score
10/10
gozi20000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

C2

https://checklistg.google.com

http://185.189.151.250

https://edge14.microsoft.com

http://45.11.181.117
Attributes
  • base_path

    /binaries/

  • build

    250255

  • exe_type

    loader

  • extension

    .ato

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

20000

C2

https://checklistg.google.com

http://194.76.225.110

https://edge14.microsoft.com

http://194.76.227.187

http://109.230.199.106

http://45.11.180.110

http://185.219.220.150

http://79.132.132.247
Attributes
  • base_path

    /binaries/

  • build

    250255

  • exe_type

    worker

  • extension

    .ato

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      7fa0f446c34ee2fca3fcfbc2f6f0010b6b2dbec804927b4de266fe67839b9d1b

    • Size

      456KB

    • MD5

      9b08e2a02d22e1782c0d035bb363314f

    • SHA1

      01bd90a8244764ca9be447003e04504055bc7ff8

    • SHA256

      7fa0f446c34ee2fca3fcfbc2f6f0010b6b2dbec804927b4de266fe67839b9d1b

    • SHA512

      4d12990775d56166b977110bdf715daf26521993e1951b08988cd27422793fdc6e3d5dbedf7c53e738b35e6fd0c3a1599b99955375ef1ea4f1d1b4d1f40c42d5

    • SSDEEP

      12288:j2FKUnggYedaoWBDXIEUYOgG7fnEW+rvAA2uxQa:j0ggVazrBU7vEBY4Ka

    Score
    10/10
    gozi20000bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks