General

  • Target

    t2B88.exe

  • Size

    364KB

  • Sample

    230315-2askeaff32

  • MD5

    58b9be6abe82b30c44dc293e236623d2

  • SHA1

    d308b4bccfffde00f43a74c8580aa06acbeae9c9

  • SHA256

    3ccc12a39185496cbc3bd9adbaa4a8a451bcfeeae97e0273e36caf5e62d5a9aa

  • SHA512

    e7b193059fa4ffb15c8d83a317adc74819990bc47a33c107ec00c9ae80a9161177710fa89651cf6a660605067b2b1c93612ef44d0bf1e2ac96a97be7d1eef62d

  • SSDEEP

    6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40XR1CVNIQC9oL:IzxzTDWikLSb4NS7t2X+t40XR1GuQSoL

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

https://config.edge.skype.com

157.254.195.117

91.215.85.151

Attributes
  • base_path

    /jerry/

  • build

    250255

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      t2B88.exe

    • Size

      364KB

    • MD5

      58b9be6abe82b30c44dc293e236623d2

    • SHA1

      d308b4bccfffde00f43a74c8580aa06acbeae9c9

    • SHA256

      3ccc12a39185496cbc3bd9adbaa4a8a451bcfeeae97e0273e36caf5e62d5a9aa

    • SHA512

      e7b193059fa4ffb15c8d83a317adc74819990bc47a33c107ec00c9ae80a9161177710fa89651cf6a660605067b2b1c93612ef44d0bf1e2ac96a97be7d1eef62d

    • SSDEEP

      6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40XR1CVNIQC9oL:IzxzTDWikLSb4NS7t2X+t40XR1GuQSoL

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks