Overview

overview

10

Static

static

3

file.dll

windows7-x64

10

file.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.dll

  • Size

    362KB

  • Sample

    230601-wdd9asff36

  • MD5

    3969d9062eb2daef1872aaf898636f08

  • SHA1

    7922117847dcda90de4d8fbaaa5613076b959115

  • SHA256

    7ce0babea43a0eca93ed5458b77df1cd695f672e8dd784d8ff0af777b66e7865

  • SHA512

    c88f6d7f3cea5dbc8341ad4a7f6c6fc197a6b9f30b807a2eb61ab9cf33d3f607f4ddd04e91eb461edf9842062319f60bbdf6d9f964f3fc20748c748734437bf4

  • SSDEEP

    3072:QmNJTdnsnRNulFiOxyioF2XfSGXbR4cFekbhO6r253I0rSis6bGCKLb1TASh8mU+:2MtTX3hdrCk6bGRL5TASh8mUUJaM

Score
10/10
gozi20000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

C2

chick.bing.com

http://79.132.129.207

http://94.247.42.106

http://94.247.42.79

http://185.212.44.76

http://45.155.249.200

http://45.155.250.216
Attributes
  • base_path

    /zerotohero/

  • build

    250257

  • exe_type

    loader

  • extension

    .asi

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

20000

C2

chick.bing.com

http://79.132.135.249

http://45.155.249.47

http://31.214.157.160

http://45.155.250.55

http://45.11.180.140

http://45.155.250.217

http://45.155.249.49
Attributes
  • base_path

    /zerotohero/

  • build

    250257

  • exe_type

    worker

  • extension

    .asi

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      file.dll

    • Size

      362KB

    • MD5

      3969d9062eb2daef1872aaf898636f08

    • SHA1

      7922117847dcda90de4d8fbaaa5613076b959115

    • SHA256

      7ce0babea43a0eca93ed5458b77df1cd695f672e8dd784d8ff0af777b66e7865

    • SHA512

      c88f6d7f3cea5dbc8341ad4a7f6c6fc197a6b9f30b807a2eb61ab9cf33d3f607f4ddd04e91eb461edf9842062319f60bbdf6d9f964f3fc20748c748734437bf4

    • SSDEEP

      3072:QmNJTdnsnRNulFiOxyioF2XfSGXbR4cFekbhO6r253I0rSis6bGCKLb1TASh8mU+:2MtTX3hdrCk6bGRL5TASh8mUUJaM

    Score
    10/10
    gozi20000bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks