gozi

General

Target

client.exe
Size

295KB
Sample

231003-p4y8tscf56
MD5

b54e56a2503ac379bcd8e61852d5e861
SHA1

abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9
SHA256

d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a
SHA512

fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513
SSDEEP

3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  client.exe
- Size
  
  295KB
- MD5
  
  b54e56a2503ac379bcd8e61852d5e861
- SHA1
  
  abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9
- SHA256
  
  d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a
- SHA512
  
  fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513
- SSDEEP
  
  3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Deletes itself

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2