gozi

General

Target

818c482b0d6be6f5c9449c76d79edf4e038fe639267b2da83675e0c5b723cea7_JC.zip
Size

8KB
Sample

231006-p1mevsbe3t
MD5

f90b985db5c3c422248e444e619fa8c1
SHA1

72f729e0782b250036c1ff501c2240abe72ecaed
SHA256

818c482b0d6be6f5c9449c76d79edf4e038fe639267b2da83675e0c5b723cea7
SHA512

0c09fb85ab31ca7138a5a0d821ceb89505964ef1a200145811ba21c0be546a4657ad70cbae348a7c3c21fdff51b38ff604576f09bc15c5d8d121f24c4b6da7bd
SSDEEP

192:PrJyPBWk5W+qhc0LZJkqr9YDXObiEbmA/cOYFBCzAt3tdVGv1NxTu:PcPIJ+aJkm9YD+bnPcOfEpHVG9NxTu

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  client_1.hta
- Size
  
  22KB
- MD5
  
  57d3eb665f1e9e6a19f278baabd49e7b
- SHA1
  
  44566a9d716e6abd0304544dd88d245fea990882
- SHA256
  
  4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
- SHA512
  
  30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
- SSDEEP
  
  384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2