gozi | 463174e74e8c212a4024f1ccc1bf4490d2ffe6d5ef9c573cc512c5b996adb437 | Triage

Sharing

General

Target

Contratto991.zip
Size

487B
Sample

230324-ng4z5adh77
MD5

2e10dd62f4a9c0e65e8b89348512ba3e
SHA1

375488048de003ce196799d4f51e26c8204adc54
SHA256

463174e74e8c212a4024f1ccc1bf4490d2ffe6d5ef9c573cc512c5b996adb437
SHA512

f913c60c4c5f104c29ce9f7e874d841e3a4ccbdee7e2440e0e321eed5697ad15a8a95799962fff5dfbdd61eaa166d884b47258300b7c362bc41ae8af99f2f7f7

Score

10^/10

gozi 7716 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7716

C2

checklist.skype.com

193.233.175.115

185.68.93.20

62.173.140.250

46.8.210.133

Attributes

base_path
/drew/
build
250255
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Contratto/Contratto.url
- Size
  
  189B
- MD5
  
  084628be20c0cc112964dc4efe6dbc93
- SHA1
  
  5535112912b97b970ba4b3b7d51896658beadb46
- SHA256
  
  2e93682935ab93fcb97ede1f8aba8076adf5e440a40a407a96f97c1b3af5188f
- SHA512
  
  8f2864a3c09fd7db9b390ef50e90bdd540455dec909ed8ed7afb681517b11c9dfbb5ab205b975103b9d3c0e6d44eca1a30c7af905593b5d72d6541b8b2bf6c8a
Score

10^/10

gozi 7716 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

gozi7716bankerisfbtrojan