gozi | 4e60a91c81426514a2af79081f4d30f0136657214144c4a920bbb5947087df6e | Triage

Sharing

General

Target

sistema.zip
Size

159KB
Sample

231012-rfj54sfe53
MD5

1f96ca3a4b98695bb9114625bcda0d64
SHA1

113ea7ea34278c2caee662c6d209f7fbb6efe2dd
SHA256

4e60a91c81426514a2af79081f4d30f0136657214144c4a920bbb5947087df6e
SHA512

80579768dcb5f6a0dad5c03a019dd059dac7aed714a78d749bdf70795320ed28c5d3af9fb81c493b531928e1e3c40365ed55dbaf44247b1ef6987390f2e8fab8
SSDEEP

3072:uQ0nEQH0AkecLGrcchh3s47XlXfT+Fgjl/P5pcAyVV3wsOmtEQsh41TBKF7As01m:D0nEBA5r3h3LX9r+qNBazgFmWQsudBcJ

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  sistema.cpl
- Size
  
  206KB
- MD5
  
  72e2a5c797954e895a41be5b20f867b2
- SHA1
  
  419aacfb3ccea9b08277bcc9405054fa4238a597
- SHA256
  
  858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
- SHA512
  
  77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
- SSDEEP
  
  6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi5050bankerisfbtrojan

behavioral2

gozi5050bankerisfbtrojan