General

  • Target

    911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

  • Size

    274KB

  • Sample

    231007-j1msqscc45

  • MD5

    d18f3fecf6d28ddd0f4cf4a9b53c0aec

  • SHA1

    05263b9ec69fcf48cc71443ba23545fabe21df12

  • SHA256

    911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

  • SHA512

    4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

  • SSDEEP

    3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

    • Size

      274KB

    • MD5

      d18f3fecf6d28ddd0f4cf4a9b53c0aec

    • SHA1

      05263b9ec69fcf48cc71443ba23545fabe21df12

    • SHA256

      911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

    • SHA512

      4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

    • SSDEEP

      3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks