General

  • Target

    client.exe

  • Size

    295KB

  • Sample

    231003-p4y8tscf56

  • MD5

    b54e56a2503ac379bcd8e61852d5e861

  • SHA1

    abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9

  • SHA256

    d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

  • SHA512

    fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513

  • SSDEEP

    3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      client.exe

    • Size

      295KB

    • MD5

      b54e56a2503ac379bcd8e61852d5e861

    • SHA1

      abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9

    • SHA256

      d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

    • SHA512

      fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513

    • SSDEEP

      3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks