gozi | e8649ad469c23e3ce48ccd5ba939548722841e3012444a257252bd7c6960a244 | Triage

Sharing

General

Target

Servizi387.zip
Size

333B
Sample

231003-gjk7gaad68
MD5

8abcabd16540cc77e6f820c561719eec
SHA1

cdbd2c3363d355cfe6c03887c98388d26278d462
SHA256

e8649ad469c23e3ce48ccd5ba939548722841e3012444a257252bd7c6960a244
SHA512

5fe9f11403600c84eb952e8498cb5aaa357d653cc2ad016164a32eee4c063adf4723d6a182610dc09ecd034ce66dcee3bd6ca2fb7e87c42ca1d528b8a6708cfe

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

46.8.210.250

31.41.44.9

185.247.184.139

62.72.33.155

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Servizi.url
- Size
  
  192B
- MD5
  
  aa05bdf7862a64f54d6e281944fb0f51
- SHA1
  
  60fe537372be17e284f0121f5da307325da6ca92
- SHA256
  
  e798fb0280fbc91cbb32234af0c55c4c6e16f528f8282057e334c2055ac07d13
- SHA512
  
  e471d9b97fc022e3a769a936f37590da9e3f32e76fb5934ffea91ef8c1fb39f719330cb5299fbb38272bb5b34aac8e28ab05bc2180478eb1bca839911a87a302
Score

10^/10

gozi 5050 banker dave isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozi5050bankerdaveisfbtrojan