gozi

General

Target

client.exe
Size

294KB
Sample

231003-3vg5vahh82
MD5

e8076ccdf5fa25a9b54bf28c85775e2f
SHA1

787750437cc8b121f798863f55060e2fe362fa01
SHA256

94f9901021891b76a7602ad7a8ca17ba0b8b2fb268c3d2417a7fdc226519ac33
SHA512

44fa12fd3dc538c7ac5bc5fe1da0e2a04afe2586e2b7977cf8d845a91e32d0173ecb145a972f718b6d3439350d7630d04cb342a3c388bd2f2a8ebe07a6e5e93f
SSDEEP

3072:n2S7BTivBoduzHLmtkY2j0eUnkrfPqU6xyhACMOTMNjAY:2WB+vaduzHLmtMSnkrXq7qAgQN

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  client.exe
- Size
  
  294KB
- MD5
  
  e8076ccdf5fa25a9b54bf28c85775e2f
- SHA1
  
  787750437cc8b121f798863f55060e2fe362fa01
- SHA256
  
  94f9901021891b76a7602ad7a8ca17ba0b8b2fb268c3d2417a7fdc226519ac33
- SHA512
  
  44fa12fd3dc538c7ac5bc5fe1da0e2a04afe2586e2b7977cf8d845a91e32d0173ecb145a972f718b6d3439350d7630d04cb342a3c388bd2f2a8ebe07a6e5e93f
- SSDEEP
  
  3072:n2S7BTivBoduzHLmtkY2j0eUnkrfPqU6xyhACMOTMNjAY:2WB+vaduzHLmtMSnkrXq7qAgQN
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2