gozi | 2110da33cfe1eaecd05be82b4717cd7381665f5c729a67c7671e612bae06fc24 | Triage

Sharing

General

Target

Azienda.zip
Size

320B
Sample

231012-qqm43sdh95
MD5

aa680f5e07148fdbef3e79ea07e11846
SHA1

535a87459f80f0f73ae6807a4c1b9999ec22c146
SHA256

2110da33cfe1eaecd05be82b4717cd7381665f5c729a67c7671e612bae06fc24
SHA512

af2e519ac8e482b8b80dad88ad63668a09ac6921c0da3598ccefddbf959e7cf5cfde4ad9a2cef3e9e2324febbe98c32c8f5796a6c29df51c6020e787a27aeeea

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Azienda.url
- Size
  
  193B
- MD5
  
  385b2d1cc0f48c9b113009619258b210
- SHA1
  
  2a956120277957bf6b11ec05568e148cb1c0bc7c
- SHA256
  
  589deb6665a90960cfbe3db62f3477f9a2087a2b2eb03d1a19ea69374a9eb34e
- SHA512
  
  a82d7f78c72d8ba1849473a7ac2536e1c332289fbdf11c6ea6f5de6f182208871a4ccb59a0f5facccdd6d0c78e9c9e10dcfe4aa067426fe0ce69358477364e18
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozi5050bankerisfbtrojan