Overview

overview

10

Static

static

7

41a8374be5...18.exe

windows7-x64

10

41a8374be5...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41a8374be557af3621718e88004fdc46_JaffaCakes118

  • Size

    123KB

  • Sample

    240514-qpkbsshc42

  • MD5

    41a8374be557af3621718e88004fdc46

  • SHA1

    71af660530aeae5bb4c40174a6b3d25356c62aba

  • SHA256

    5a903ed3e4e589bdf870851a44617b3f907485fab40662e4726e2f40fcdcc2d0

  • SHA512

    73ab550d59452750cbff6d49b7016e3408e16bb7db0412a419e429ad2b514b872055293644699ba3ba8cbb97d61adf03632e5a3d70c516bf4b30665013660355

  • SSDEEP

    3072:g9nY+T1R66DKvurYSYUvl2dpt+ctd7yP:K5R6p2cSxwwko

Score
10/10
gozi1000bankerisfbtrojanupx

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217061

Extracted

Family

gozi

Botnet

1000

C2

intro.tir001.at/rpc

doa.quappak.at/rpc

api.siperskon.at/rpc

io.tir001.at/rpc

ytruieowphf.bit/rpc

u2.ceelop.at/rpc

enter.nokartoon.at/rpc

api.nwq2000.at/rpc

cd.iqwoker.at/rpc

api.fin150.at/rpc

chat.loop1000.at/rpc

chat.iqwoker.at/rpc

mahono.cn/rpc
Attributes
  • build

    217061

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    192.71.245.208

    8.8.8.8

    178.17.170.179

    82.196.9.45

    151.80.222.79

    68.183.70.217

    217.144.135.7

    158.69.160.164

    207.148.83.241

    5.189.170.196

    217.144.132.148

    94.247.43.254

    188.165.200.156

    159.89.249.249

    150.249.149.222

  • exe_type

    loader

  • server_id

    150

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      41a8374be557af3621718e88004fdc46_JaffaCakes118

    • Size

      123KB

    • MD5

      41a8374be557af3621718e88004fdc46

    • SHA1

      71af660530aeae5bb4c40174a6b3d25356c62aba

    • SHA256

      5a903ed3e4e589bdf870851a44617b3f907485fab40662e4726e2f40fcdcc2d0

    • SHA512

      73ab550d59452750cbff6d49b7016e3408e16bb7db0412a419e429ad2b514b872055293644699ba3ba8cbb97d61adf03632e5a3d70c516bf4b30665013660355

    • SSDEEP

      3072:g9nY+T1R66DKvurYSYUvl2dpt+ctd7yP:K5R6p2cSxwwko

    Score
    10/10
    gozi1000bankerisfbtrojanupx

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks