gozi

General

Target

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
Size

422KB
Sample

230929-smx6zscd8t
MD5

c788f8e7a2d0311297bd198ca9d05ec8
SHA1

64240992ba99ae27b0bb4fe277a95524a4b139db
SHA256

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
SHA512

2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
SSDEEP

6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

31.41.44.79

185.248.144.203

netsecurez.com

whofoxy.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
- Size
  
  422KB
- MD5
  
  c788f8e7a2d0311297bd198ca9d05ec8
- SHA1
  
  64240992ba99ae27b0bb4fe277a95524a4b139db
- SHA256
  
  bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
- SHA512
  
  2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
- SSDEEP
  
  6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx
Score

10^/10

gozi 5050 banker dave isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Dave packer

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2