General

  • Target

    documenti.zip

  • Size

    478B

  • Sample

    230308-jq7edseg29

  • MD5

    6819542f5ba2af5646bd5b5dda64daa4

  • SHA1

    d52e092cf7c92d257dc0553321b322931b582ac2

  • SHA256

    cac82566e9167dc82b09308d05194bfc1ce6441a27b51756024c8b6477d75401

  • SHA512

    6eab608b4db4aa9811d0428e2d753f84e8b0814af2840222bf83ad39f052560438c1740d7181a189711d255e5b832191724d4734f0df832d62b6102226a6f2e9

Malware Config

Extracted

Family

gozi

Botnet

7711

C2

checklist.skype.com

62.173.138.6

89.117.37.146

46.8.210.82

89.116.227.15

31.41.44.51

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Targets

    • Target

      documenti/documenti.url

    • Size

      191B

    • MD5

      c57ce09111a84d1110b24a8505ff5804

    • SHA1

      9fd1e2577f10a24c2678803e073d35e41b551eb2

    • SHA256

      257413c17f63500a76f9d0216a8dee283021299a61dc0539e6e870fd5d78177b

    • SHA512

      71cf1e5d069a75be84cfcaf82479fb037e75055c05e94ad212453769288b1e3b194156fad802619b0850c9e9abb3c045600779de234b8b51505b1a54f46b7c84

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks