Overview

overview

10

Static

static

1

impresa.url

windows7-x64

1

impresa.url

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    impresa145.zip

  • Size

    333B

  • Sample

    231003-m6t1sabh66

  • MD5

    5ff7577d70a6e1f1ce749180a06a4621

  • SHA1

    37ca94eefd3af02f638a6ea601a4088f204771ed

  • SHA256

    8591ffc132683cf4b3ae634ca29847788d15bbced677e02770b4cdb2e6e4192b

  • SHA512

    288d3854efe81b8fbea529de09f75670fcaa73532678e9c67456d3fdbe3019278be4707b24b957651316c1594155f30b18bf3a48ad8021e6ee48c7e473a7ec01

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

46.8.210.250

31.41.44.9

185.247.184.139

62.72.33.155
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      impresa.url

    • Size

      192B

    • MD5

      52aa02b4f67f2f504fcb991e6d094e58

    • SHA1

      87e772a1597eba6b20bb750fd79c9ac30738229a

    • SHA256

      8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963

    • SHA512

      e5baa8bbce30f1ca6c64705b9145454857c02f2a27308fc27b07c145517cbd3ccbde2cb57f94459df9fe4311a82cb3607f097a6219286f1d9eca44b953d54be4

    Score
    10/10
    gozi5050bankerdaveisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

      dave

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks