General

  • Target

    AgenziaEntrate.zip

  • Size

    507B

  • Sample

    230308-jv2dyaec8y

  • MD5

    a69361ef6e25ae8829e5e5ec00fcf461

  • SHA1

    57c704fa05da4d9ba66cd01abb87768506283a7f

  • SHA256

    0284ebc8b81dd2894fbdb7ca298d1c2c85c41630b9b9ab99aed51aec86073aae

  • SHA512

    d83b083384049ca937d0cd71aaca55d09f7a1c6f7089829c582eaf4fc75d1d0be579dd16dc58f14ed2935188b5abd3361d4beeba9797e769a14be517ba9fe0c6

Malware Config

Extracted

Family

gozi

Botnet

7711

C2

checklist.skype.com

62.173.138.6

89.117.37.146

46.8.210.82

89.116.227.15

31.41.44.51

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Targets

    • Target

      AgenziaEntrate/AgenziaEntrate.url

    • Size

      191B

    • MD5

      361301f6ad56d5f44ed70afcbf223df0

    • SHA1

      1195b135d96ee1214531ba0c6146318f2524bea8

    • SHA256

      2362e52e347d77a6b101b80057d9770e44a44599889385a83822625901631583

    • SHA512

      394a2f7d97b7bd70e5827f0294deaee00a710fe931fad8a964ca6f694997de61a3dbd3f63e57a2f119733ea2150c5b1379a4f92b0d871f9714317cc67d9c8284

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks