General

  • Target

    sistema.zip

  • Size

    159KB

  • Sample

    231012-rfj54sfe53

  • MD5

    1f96ca3a4b98695bb9114625bcda0d64

  • SHA1

    113ea7ea34278c2caee662c6d209f7fbb6efe2dd

  • SHA256

    4e60a91c81426514a2af79081f4d30f0136657214144c4a920bbb5947087df6e

  • SHA512

    80579768dcb5f6a0dad5c03a019dd059dac7aed714a78d749bdf70795320ed28c5d3af9fb81c493b531928e1e3c40365ed55dbaf44247b1ef6987390f2e8fab8

  • SSDEEP

    3072:uQ0nEQH0AkecLGrcchh3s47XlXfT+Fgjl/P5pcAyVV3wsOmtEQsh41TBKF7As01m:D0nEBA5r3h3LX9r+qNBazgFmWQsudBcJ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      sistema.cpl

    • Size

      206KB

    • MD5

      72e2a5c797954e895a41be5b20f867b2

    • SHA1

      419aacfb3ccea9b08277bcc9405054fa4238a597

    • SHA256

      858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

    • SHA512

      77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

    • SSDEEP

      6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks