gozi | b9bff5d55153184ceef31bf335fafb425fe512fe8f702e072bb1fd377493abd8 | Triage

Sharing

General

Target

Cliente.zip
Size

320B
Sample

231012-rezjeadc9t
MD5

326843585860553511ef01e762f6f802
SHA1

efe4227588ac122273a83960573d6af5ee3dd17d
SHA256

b9bff5d55153184ceef31bf335fafb425fe512fe8f702e072bb1fd377493abd8
SHA512

f8b034f60cf5d52fac2f87ed35c3d1b49f96a8a500ec8b341fe65be3747c6fdcbd69291449c93d84c6c8ff8add8f82e73979e2a1992546c8dc58982af4828b87

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Cliente.url
- Size
  
  194B
- MD5
  
  0da2f6812c1bc76eaa25be1e6a2eaf4c
- SHA1
  
  e4b237e5f7bb7b96e9bfb43c126541fc892d3b0a
- SHA256
  
  0042887574aae1f954f0459b9448c0fa4501bb8719843940315d466645da9a7b
- SHA512
  
  a5495580fae00444b4edbff6894e1e302025ddff295a26fe519bc229724d3961646afb1cece2be892b19840035152a937fa3f7910e4fe04adea751eb319d96cb
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozi5050bankerisfbtrojan