Overview

overview

10

Static

static

1

Documenti.url

windows7-x64

1

Documenti.url

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documenti.zip

  • Size

    325B

  • Sample

    231012-rezjeadc9v

  • MD5

    f85a571e79c4826aba3805084689bc27

  • SHA1

    c8bc385897c84b7a5ab01682967bc8b11b4f80d1

  • SHA256

    a9ea9e40f12e969624fed4710df884076b80b97b7a29e5e830c01e9c4e46596a

  • SHA512

    57064a8899e41264962eefb2e463d4a64a255e812f55f77cec9a3e31f8140a06d79a4336efd43f3ff77742e8af55c94fac83ff86a9433683aa9c214b9201a2bc

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      Documenti.url

    • Size

      195B

    • MD5

      4d7d46f082ea539ffef896638e7f621e

    • SHA1

      f1b9e5c62fe28ba60f7977bc9ff7a48124d40294

    • SHA256

      2d58ddd8ca73f4eff0945a3537e0a7bf888fdf7fb963ef43d8e07f5517404f69

    • SHA512

      9f14c82416a0861348cec391c9f87664bd0772a5bfd973c3ad0ab6bb071df5778781d2ba5dbcedfbc65d26c58c86eb9d14a8299cecd611e9dfedabbbf1fa922e

    Score
    10/10
    gozi5050bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks