General

  • Target

    Agenzia_Entrate.zip

  • Size

    6.2MB

  • Sample

    230307-r5legahh4x

  • MD5

    a8c9d5897c142b17d66b1a5f5069cd97

  • SHA1

    92dc5129f1245a491ee4620fd444f9de1c2712ea

  • SHA256

    a6b36cc075ec92cbb60edc6e8486f5bdbaea8d66b3e0475a5d4ea9898d4b20bd

  • SHA512

    ad961aad2acc32b55c7dae6578539823739d4c11ef4b2d2b7d90c074e6a12a1f39453ce7a91c5b9712569365b25c4769328992e78f7fcf11c2fcf653a237fc19

  • SSDEEP

    196608:Fn8eL/NMx4iJ5RdTvwt/q3e00kwBCtkSk:F8KNW4I5RdTvwt/oe00dEy3

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7709

C2

checklist.skype.com

62.173.141.252

31.41.44.33

109.248.11.112

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      Informazione_Azienda.exe

    • Size

      716.5MB

    • MD5

      6b2289e478ba947fcdf3162d7dfcc866

    • SHA1

      6ddee30e77c993cc3c7bd7448115b0910ac35f02

    • SHA256

      360662fe225833af7db84c550f8fb9f7afe7333a9b0e2ca436c9c242d9a87975

    • SHA512

      b1334513bd3febd6e2408404fd63d3f59ed6261f28d045686b21ef7f71f9952affef9a72021f7a541fb6b689016c3344c8907a98dd7ce4d1ed9f32ca43f8aebe

    • SSDEEP

      24576:HJqQKnVYxHs6MxrRcnWOVY1st7Xm1KoY9x:QVYNs6yRc6stKR+

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks