gozi

General

Target

client_5.hta
Size

22KB
Sample

231006-n31vlaba2x
MD5

988f8a03ac893e41d4f9aaca5addafe1
SHA1

d3bda7e7be11da19cd3adf16a4c58548eb573f74
SHA256

0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
SHA512

2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1
SSDEEP

384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  client_5.hta
- Size
  
  22KB
- MD5
  
  988f8a03ac893e41d4f9aaca5addafe1
- SHA1
  
  d3bda7e7be11da19cd3adf16a4c58548eb573f74
- SHA256
  
  0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
- SHA512
  
  2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1
- SSDEEP
  
  384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2