gozi

General

Target

payload.bin.exe
Size

37KB
Sample

231004-bt3xdagd81
MD5

532039d2f764d59a4c1cac5e6091aa52
SHA1

a1abbd3f89897952fc0a90e60ca49983c287a65c
SHA256

bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97
SHA512

711c7a4d7481b414178542aac5ef908b5b66b50ed96305c9f159ea4b1762ddb77f2125470bbb8101909ff4c77c51d3c7e0a121d65a7356bc28756f8028f01b0b
SSDEEP

768:MA3rPI5jShpW1v5wlZkyJ8Kl7aQixYgxYJmv0NHY7lbjNltdX2k:j3rPI5jSu1aZkyVJaf3C7YJj3HG

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  payload.bin.exe
- Size
  
  37KB
- MD5
  
  532039d2f764d59a4c1cac5e6091aa52
- SHA1
  
  a1abbd3f89897952fc0a90e60ca49983c287a65c
- SHA256
  
  bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97
- SHA512
  
  711c7a4d7481b414178542aac5ef908b5b66b50ed96305c9f159ea4b1762ddb77f2125470bbb8101909ff4c77c51d3c7e0a121d65a7356bc28756f8028f01b0b
- SSDEEP
  
  768:MA3rPI5jShpW1v5wlZkyJ8Kl7aQixYgxYJmv0NHY7lbjNltdX2k:j3rPI5jSu1aZkyVJaf3C7YJj3HG
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2