General

  • Target

    3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe

  • Size

    406KB

  • Sample

    231011-gwjt6sga55

  • MD5

    2f5a00394c3568e91f6302dc6c8b196c

  • SHA1

    116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

  • SHA256

    3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

  • SHA512

    a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36

  • SSDEEP

    12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd_JC.exe

    • Size

      406KB

    • MD5

      2f5a00394c3568e91f6302dc6c8b196c

    • SHA1

      116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

    • SHA256

      3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

    • SHA512

      a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36

    • SSDEEP

      12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks