gozi | e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe | Triage

Sharing

General

Target

a17de50fcd71c572f423c943f926c2a9
Size

504KB
Sample

240224-k8g3wsfe63
MD5

a17de50fcd71c572f423c943f926c2a9
SHA1

bd34e4d57bfc1938ebc93d8f404dbe7e019db0cf
SHA256

e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
SHA512

4fb4b5c2af8e3199d2ad51f67739da48f8363f7a5b7446dd496d8b58c90d1949bc49e841ff48baf99da92a88cddf22258bf48217bfbe889bdd9ad8b0c9257199
SSDEEP

12288:B7wAjlh98sQ73RBgy6aqGT8jSXxhYb/iWVEJ10mVSV/+K/BCz7uW:B7wAQsQ735TYb/qhVSk3

Score

10^/10

gozi 8877 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8877

C2

outlook.com

xaaorunokee.site

taaorunokee.site

Attributes

base_path
/hreeen/
build
250212
dga_season
10
exe_type
loader
extension
.lof
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  a17de50fcd71c572f423c943f926c2a9
- Size
  
  504KB
- MD5
  
  a17de50fcd71c572f423c943f926c2a9
- SHA1
  
  bd34e4d57bfc1938ebc93d8f404dbe7e019db0cf
- SHA256
  
  e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
- SHA512
  
  4fb4b5c2af8e3199d2ad51f67739da48f8363f7a5b7446dd496d8b58c90d1949bc49e841ff48baf99da92a88cddf22258bf48217bfbe889bdd9ad8b0c9257199
- SSDEEP
  
  12288:B7wAjlh98sQ73RBgy6aqGT8jSXxhYb/iWVEJ10mVSV/+K/BCz7uW:B7wAQsQ735TYb/qhVSk3
Score

10^/10

gozi 8877 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi8877bankerisfbtrojan

behavioral2

gozi8877bankerisfbtrojan