Overview

overview

10

Static

static

1

Invoice_Details.js

windows7-x64

7

Invoice_Details.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice_Details.zip

  • Size

    10KB

  • Sample

    230718-t6q3fscc83

  • MD5

    32e7ae2c7ea17e394eec3262d00ca2cc

  • SHA1

    b1d4a8da261109f7c55923938f0d7f3507792db2

  • SHA256

    4a44bf781e5ddd0a77dcaa97caafb1be31392fa6fc63891ff7e595318030b540

  • SHA512

    90e1537c614448ba2d919221d54e483dc6d5eb6a3f8d5ca0bb0528e812a626cf26901a2202387deb29efc60a9d2a286b0bee8ab0e0d2b026b3156681e3291278

  • SSDEEP

    192:7jRpAsVb6q6tIrRMpKZjYMgxhqeacz2PqhYhn/xrTKwswSo8eez:PTAsMqwIFMpKebDqzcz2VhprTKwGoTM

Score
10/10
gozi20000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

C2

http://45.11.182.38

http://79.132.130.230

https://listwhfite.check3.yaho1o.com

https://lisfwhite.ch2eck.yaheoo.com

http://45.155.250.58

https://liset.che3ck.bi1ng.com

http://45.155.249.91
Attributes
  • base_path

    /zerotohero/

  • build

    250260

  • exe_type

    loader

  • extension

    .asi

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      Invoice_Details.js

    • Size

      42KB

    • MD5

      22067f54377e90dc3fdd5f384c1fe3ee

    • SHA1

      56b2afbc94b67f1c1f5e0a2340e25ca066b9baad

    • SHA256

      5e5722af27fc7ae05a9f9705ce1d680fec5fef27a67019c37e2bd768c8e7c07e

    • SHA512

      af74c25ae0cc74316411d129d7c0a13e81efe0b0cbb207c1e45e323288364b36d1b2d383af5161efb3a7c491494b67bfee90ec8c97420a956b623eb4f12bfe56

    • SSDEEP

      384:kac3is6ZeUS1ogXzxmOP0U4OmB/P9rVOKeHBYH8Ffu+wtizOdKUmJYgqEq4SjoaM:/7ylm9FgH1gTP5C1XfW51TJfmh1EE

    Score
    10/10
    gozi20000bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks