gozi

General

Target

3dd859f7aa6f95b80aae2c7c4b5eaaf9.bin
Size

9KB
Sample

231007-brastaah92
MD5

8a33372e708e74f7724714301089c89f
SHA1

d0aef80e51a3f56b2b9656bd825d9d90d51fc7a7
SHA256

e7e9df4507c4491b0d533fbfcca44579f7fad5db87f7b10f8cbbfc31b6679bfc
SHA512

718de9596ac34dc9dbf6ee03aa479d08d1faff0f8bcc3fa8a1aaa699308241d46e9d1e230da9fbc00f9e41651e1141dbb5ed040cd9bd375ee7b690895f6e877b
SSDEEP

192:T1iFgQJc8l8XZYPe2Cm46IHkDC7gCmrko3MGw53Yht7hflEkXMkKwe:T0F/+E8XCWBm46I2dBAJYxtEkc7f

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs
- Size
  
  22KB
- MD5
  
  3dd859f7aa6f95b80aae2c7c4b5eaaf9
- SHA1
  
  3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
- SHA256
  
  8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
- SHA512
  
  9552049edd58c22dac6f081c110eaebbcc23f0c28e3544c8387da5a1be376fbf0b7c777a95bc1277c5246f8588be7632fd9f335d428bdc58864c870d04d9f994
- SSDEEP
  
  384:GOjk+QtGIKg7ETp2FHIKIGZVgXFpmcMYqYaGmPUVdE/MMMWm4qVuAL:I9eYjTT//0MjgVuAL
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2