General

  • Target

    client.exe

  • Size

    295KB

  • Sample

    231003-p4y8tscf56

  • MD5

    b54e56a2503ac379bcd8e61852d5e861

  • SHA1

    abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9

  • SHA256

    d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

  • SHA512

    fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513

  • SSDEEP

    3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT+Q3w7Xs9fAt8SXJtHrdrgSpX
3
ZJ7mYvJQRhPhBS2ph1RKaSJicOxxQmTHieiqTJKERntDT5L1ifaGy26dxA86AGfd
4
XjC/XfKTdwwapcqk2YxzAB+tzodCX+mceEbdmQba4eICHq1AFSTjUlQoK/3URIVX
5
i7CgAtxZCgCXPIw1PwIDAQAB
6
-----END PUBLIC KEY-----
aes.plain
1
qRFDkNYVe8pOvx5l

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT+Q3w7Xs9fAt8SXJtHrdrgSpX
3
ZJ7mYvJQRhPhBS2ph1RKaSJicOxxQmTHieiqTJKERntDT5L1ifaGy26dxA86AGfd
4
XjC/XfKTdwwapcqk2YxzAB+tzodCX+mceEbdmQba4eICHq1AFSTjUlQoK/3URIVX
5
i7CgAtxZCgCXPIw1PwIDAQAB
6
-----END PUBLIC KEY-----
aes.plain
1
0gV5XR1ZycScNvAe

Targets

    • Target

      client.exe

    • Size

      295KB

    • MD5

      b54e56a2503ac379bcd8e61852d5e861

    • SHA1

      abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9

    • SHA256

      d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

    • SHA512

      fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513

    • SSDEEP

      3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.