General

  • Target

    impresa.zip

  • Size

    465B

  • Sample

    230308-jpbw4aec6s

  • MD5

    6cb213ffca1cae480757990e6ec59b59

  • SHA1

    fc13c7741afeb9535031d2cd85c8fcccec990e6b

  • SHA256

    b883d0faf8a9f2396a311b6005ab68073ff0e6a09cafbdc7b58a8439d52409a1

  • SHA512

    3621b9bf8509a039b7b7f9c8a73ddad0542b84c273b30d899a10a0d5edab46f6b12441b3f4a381c7dce3ef46812cfa9252101f7f77bdf1c6a2f39e4c72c1c0db

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7711

C2

checklist.skype.com

62.173.138.6

89.117.37.146

46.8.210.82

89.116.227.15

31.41.44.51

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      impresa/impresa.url

    • Size

      191B

    • MD5

      361301f6ad56d5f44ed70afcbf223df0

    • SHA1

      1195b135d96ee1214531ba0c6146318f2524bea8

    • SHA256

      2362e52e347d77a6b101b80057d9770e44a44599889385a83822625901631583

    • SHA512

      394a2f7d97b7bd70e5827f0294deaee00a710fe931fad8a964ca6f694997de61a3dbd3f63e57a2f119733ea2150c5b1379a4f92b0d871f9714317cc67d9c8284

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks