gozi

General

Target

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe
Size

287KB
Sample

230929-rs973adb24
MD5

bbf59fbbb9de660e113d82597c289cff
SHA1

85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be
SHA256

26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
SHA512

8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa
SSDEEP

3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

31.41.44.79

185.248.144.203

netsecurez.com

whofoxy.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe
- Size
  
  287KB
- MD5
  
  bbf59fbbb9de660e113d82597c289cff
- SHA1
  
  85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be
- SHA256
  
  26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81
- SHA512
  
  8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa
- SSDEEP
  
  3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ
Score

10^/10

gozi 5050 banker dave isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Dave packer

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2