gozi

Sharing

Copy URL

Twitter E-mail

General

Target

url.rar
Size

2KB
Sample

231013-b3qcmsbd74
MD5

2d9bb40c7ff214388ce1e6b6c4e43ece
SHA1

e18bd46c22647bc85f16176b359d1638af2ffd0b
SHA256

40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665
SHA512

7add8b541cc944f754245267a8002fc39ebc7346134e8a0d7dc1d130168fc954d7ce1592b175edef241f63d509be06900570e98a7a6f154cec998efae3773746

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  url/Amministrazione.url
- Size
  
  195B
- MD5
  
  ba89826b4115e395e16cb5a1f88b8509
- SHA1
  
  9638d1cb1dde598f6b6e6d165f193c972ba3c229
- SHA256
  
  e27258c5b05fba296137f8639082a4879f8795b3d3906788e36b59d74eb18062
- SHA512
  
  bd348e28231532bea645759b0d0d0ee6a41f83ad4104b3284728bdbfd296080e9540d2a18160f88cd2db0b33797ba7813607860aa92f4bce93c7434ba92f138f
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  url/Azienda.url
- Size
  
  193B
- MD5
  
  385b2d1cc0f48c9b113009619258b210
- SHA1
  
  2a956120277957bf6b11ec05568e148cb1c0bc7c
- SHA256
  
  589deb6665a90960cfbe3db62f3477f9a2087a2b2eb03d1a19ea69374a9eb34e
- SHA512
  
  a82d7f78c72d8ba1849473a7ac2536e1c332289fbdf11c6ea6f5de6f182208871a4ccb59a0f5facccdd6d0c78e9c9e10dcfe4aa067426fe0ce69358477364e18
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  url/Cliente.url
- Size
  
  194B
- MD5
  
  0da2f6812c1bc76eaa25be1e6a2eaf4c
- SHA1
  
  e4b237e5f7bb7b96e9bfb43c126541fc892d3b0a
- SHA256
  
  0042887574aae1f954f0459b9448c0fa4501bb8719843940315d466645da9a7b
- SHA512
  
  a5495580fae00444b4edbff6894e1e302025ddff295a26fe519bc229724d3961646afb1cece2be892b19840035152a937fa3f7910e4fe04adea751eb319d96cb
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  url/Documenti.url
- Size
  
  195B
- MD5
  
  4d7d46f082ea539ffef896638e7f621e
- SHA1
  
  f1b9e5c62fe28ba60f7977bc9ff7a48124d40294
- SHA256
  
  2d58ddd8ca73f4eff0945a3537e0a7bf888fdf7fb963ef43d8e07f5517404f69
- SHA512
  
  9f14c82416a0861348cec391c9f87664bd0772a5bfd973c3ad0ab6bb071df5778781d2ba5dbcedfbc65d26c58c86eb9d14a8299cecd611e9dfedabbbf1fa922e
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  url/Informazioni.url
- Size
  
  193B
- MD5
  
  1d845b70ddd55eadc3839f5260a3fe98
- SHA1
  
  9e6777fc98e89c4fd6f27cc7bed1c50a965c8c0d
- SHA256
  
  a6e70f830d130741e0707af7e78a9d2cfb5bc05a487a213b10c8554b40d4c8fa
- SHA512
  
  25be0840385e11b34d3544e33bce9e89e01132568cac404107018f7a238db3cd8bd907e172e66cf36a30944eb9163a8663ab9b587c6bd35872c03c4a22b57bd2
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  url/dettagli.url
- Size
  
  208B
- MD5
  
  1b903a8fc64800bc3601174a915c7e48
- SHA1
  
  26441d57d2fa5fc268660dfd894eb066fbda289a
- SHA256
  
  ee26c22ad61136470226197bd27f757e1f2a4c18b10d33bb6dbeeffceed8ec00
- SHA512
  
  a625f87c8c328aa18853d8a1ae54952d0459c6c7796b39dde55db3daa2652754e3c8351130acd037a35ebae6f87fca29fb5f7bef3f44973e902ec04dd2da421a
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  url/inform.url
- Size
  
  204B
- MD5
  
  f13bd51782ee70b4034e8a9580300a84
- SHA1
  
  3ebc6a0ca2e44b66e73c8b48d57270b50d1ffa03
- SHA256
  
  8953bc8ade6782f508b669c9699999521f0fff2a0d63d45b1c167a82bb144797
- SHA512
  
  a0432a968c8d2b078011b8d35b56582877efe0fd8e652f05b629ad25709d0f0182482733a4ba56c0c92547da1aba19d8225c08fdae9c0d07fbacc1bce005484a
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  url/modulo.url
- Size
  
  204B
- MD5
  
  5ece85d608cc6f3fc7250c0a609241eb
- SHA1
  
  cadac53fa389635eac3ae62291d9022b06f8e801
- SHA256
  
  8636389e0cb65ea3dc6f46c33ad78d2b03601a3eec7945586920a4f7581e9792
- SHA512
  
  2b3f771cb4556412aea1f87fc1d06b35673739fac17b7bffcd988a245ccf67ab8208699adb07f527739df2cc493ccb2bf32a78de08a8d75ee4af8e9e28ae7ef6
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  url/processo.url
- Size
  
  208B
- MD5
  
  e98e3a495a146d3048f39c08706a0755
- SHA1
  
  ddcda25154570cd1fd9a0932dbb64d8768cac86a
- SHA256
  
  b4ff46c2f843a1f69b7ffae5efa6a1821bc6f8ebca5d52e91792f40bcc2933f0
- SHA512
  
  7b2ec42a75113277139763aa64fa288b2353a7a20423757dbd8136a75ac087ed0064620c4811a70acc0e5c1920fa5c056252de937430da65dde7124d16a8fc0c
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  url/sistema.url
- Size
  
  206B
- MD5
  
  8d42f868af378fdaaf0fe40c29e52bbc
- SHA1
  
  1429d147f20ffed0505a47bea4a614deeda3e60c
- SHA256
  
  aeea621a727c1236ef86287c0733a97346621dfc74dbba858710a258449c0619
- SHA512
  
  aa296bd043daead87bdb2a2f895c8490635e87cbdacee4c11cd26e78913955a434506a449d91ddc90cb3b640e2d006fc04b18070cb5418d24080d4df842ef10a
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Gozi

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20