General

  • Target

    Azienda.zip

  • Size

    320B

  • Sample

    231012-qqm43sdh95

  • MD5

    aa680f5e07148fdbef3e79ea07e11846

  • SHA1

    535a87459f80f0f73ae6807a4c1b9999ec22c146

  • SHA256

    2110da33cfe1eaecd05be82b4717cd7381665f5c729a67c7671e612bae06fc24

  • SHA512

    af2e519ac8e482b8b80dad88ad63668a09ac6921c0da3598ccefddbf959e7cf5cfde4ad9a2cef3e9e2324febbe98c32c8f5796a6c29df51c6020e787a27aeeea

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      Azienda.url

    • Size

      193B

    • MD5

      385b2d1cc0f48c9b113009619258b210

    • SHA1

      2a956120277957bf6b11ec05568e148cb1c0bc7c

    • SHA256

      589deb6665a90960cfbe3db62f3477f9a2087a2b2eb03d1a19ea69374a9eb34e

    • SHA512

      a82d7f78c72d8ba1849473a7ac2536e1c332289fbdf11c6ea6f5de6f182208871a4ccb59a0f5facccdd6d0c78e9c9e10dcfe4aa067426fe0ce69358477364e18

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks