Resubmissions

26-03-2023 10:19

230326-mc1w8sab3s 3

26-03-2023 10:19

230326-mch2esgb75 10

General

  • Target

    Organizzazione571.zip

  • Size

    517B

  • Sample

    230326-mch2esgb75

  • MD5

    a03e51781fbf641b6bce7863f7990f90

  • SHA1

    6160e801d60495880636741d643927c4631de8a0

  • SHA256

    5e13daad538571332b6944ab418c0004cdb0cf8aaf7e368270d29dc8d93dcddd

  • SHA512

    87b9ba097759d3e8e41766f69207276e8503128644c4828d6b4e62053b57e07e158846bb5e7930aa304edeacca3afe1782ab7ff5200482400fc92ea895eb9ef5

Malware Config

Extracted

Family

gozi

Botnet

7716

C2

checklist.skype.com

193.233.175.115

185.68.93.20

62.173.140.250

46.8.210.133

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Targets

    • Target

      Organizzazione/Organizzazione.url

    • Size

      189B

    • MD5

      4571c088033c1b952cc7a47d6d912ccf

    • SHA1

      5ea33a903ab401f3df83458270249486f10b5788

    • SHA256

      5fff289b5afb58911385428f650b19eae8085e8261d283258500360b1747e0a8

    • SHA512

      5682b850056cb1e864ca9a123a52fd5f54b01fe809b9a7fc3abcf71a7cf09a7fab9c08907cca9a502cd28034e3306c6161310efb118b5ac47ca170d19236da64

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks