gozi | 16c676aab1d91c2252b09d1618aa9948132cd28f4aebbe7451718565cb1a7d2f | Triage

Sharing

General

Target

Servizi193.zip
Size

334B
Sample

230928-qjdxtsbe4s
MD5

419f2d5550357bb8943675f556c3c1bf
SHA1

ce1f8c8ac7bba90072f169cc285d1c4c556ae422
SHA256

16c676aab1d91c2252b09d1618aa9948132cd28f4aebbe7451718565cb1a7d2f
SHA512

aa606265840a808a14d26cf41cf435471dc5cc91e903af1c42eb43336cdfeb0b41f61b040b0213bd33773701f4cf390cc131feb2587cee138362f1cc80863504

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Servizi.url
- Size
  
  193B
- MD5
  
  8700ae84ce3630a8321b710be0ee3316
- SHA1
  
  dcdef6d4bfb7b239bd351e1fee2785cdfc2fb8dd
- SHA256
  
  7581bddb9275a5cf702ff7376a3ec41e2c51c745a08be4bd874f5e831859cb38
- SHA512
  
  e93025559ccb84bf1fddb775165e64bacd3b6dd7551451769fcbeef1e45007cc6c86aa0e63c6d551819031fc6a48ed096db114e8b6e128fd6b2bc3837f1e9e71
Score

10^/10

gozi 5050 banker dave isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozi5050bankerdaveisfbtrojan