gozi | 6ba74e480d00ffe167d261c3a30a7a88f904fa72eb1ec2778bfaa7f5b794cb6a | Triage

Sharing

General

Target

26f94a39e75541f144cca6eac234d45c_JaffaCakes118
Size

351KB
Sample

240508-1395gsab8w
MD5

26f94a39e75541f144cca6eac234d45c
SHA1

e855dabd59389fb104a849eced3121ae4f746a85
SHA256

6ba74e480d00ffe167d261c3a30a7a88f904fa72eb1ec2778bfaa7f5b794cb6a
SHA512

d377ba8af287737b58adcd363b70255b9fa8a7f00512db981e5bcdc6b31b026db5620dc28daef23b0e3ee21a8c0aee4d1a2ca3ba14d348cd9d3cf9d0024fe25e
SSDEEP

6144:t0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:tBNfORjVOB7xDQ1AD2qGrJe3q9Yn

Score

10^/10

gozi 1010 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  26f94a39e75541f144cca6eac234d45c_JaffaCakes118
- Size
  
  351KB
- MD5
  
  26f94a39e75541f144cca6eac234d45c
- SHA1
  
  e855dabd59389fb104a849eced3121ae4f746a85
- SHA256
  
  6ba74e480d00ffe167d261c3a30a7a88f904fa72eb1ec2778bfaa7f5b794cb6a
- SHA512
  
  d377ba8af287737b58adcd363b70255b9fa8a7f00512db981e5bcdc6b31b026db5620dc28daef23b0e3ee21a8c0aee4d1a2ca3ba14d348cd9d3cf9d0024fe25e
- SSDEEP
  
  6144:t0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:tBNfORjVOB7xDQ1AD2qGrJe3q9Yn
Score

10^/10

gozi 1010 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1010bankerisfbpersistencetrojan

behavioral2

gozi1010bankerisfbpersistencetrojan