gozi | 31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4 | Triage

Sharing

General

Target

31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4_JC.url
Size

192B
Sample

230929-rwtz9abh4z
MD5

91b01df174309ed2c53f214b38a3c817
SHA1

be006917a3451c90e81fb2778920de08e610d8d7
SHA256

31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4
SHA512

406d21df8b67083df3d70c3971feb506ee12903c33e3d03cd07e423ae1726dfffc6759d0f7da49f99a72f4044252dffa6107f5980effaa81279e5d909ec9e047

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4_JC.url
- Size
  
  192B
- MD5
  
  91b01df174309ed2c53f214b38a3c817
- SHA1
  
  be006917a3451c90e81fb2778920de08e610d8d7
- SHA256
  
  31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4
- SHA512
  
  406d21df8b67083df3d70c3971feb506ee12903c33e3d03cd07e423ae1726dfffc6759d0f7da49f99a72f4044252dffa6107f5980effaa81279e5d909ec9e047
Score

10^/10

gozi 5050 banker dave isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozi5050bankerdaveisfbtrojan