gozi | 14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8 | Triage

Sharing

General

Target

5016784605ad3fd883fbdfdd5fbd469f_JaffaCakes118
Size

749KB
Sample

240517-r911qacg3x
MD5

5016784605ad3fd883fbdfdd5fbd469f
SHA1

30100663d3d88d7399948f7f92602efcb70b5a86
SHA256

14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8
SHA512

3f61dac201d25c5cb8932e9bed8b762c6897462edf912091e6921f2895645908b64c91a779f8db0cac76a0ddae19808d9ba6ce7fb27cd0a0153c5bf20d01f116
SSDEEP

12288:INVtF21kgh6j10JGCDn3NVEoYFA5rId7ipJC:INVtEjcMfTpYC5cmHC

Score

10^/10

gozi 700 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

700

C2

http://cxzko43pnr7ujnte.onion

http://intraders-support.at

http://freshness-girls.at

Attributes

build
216098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  5016784605ad3fd883fbdfdd5fbd469f_JaffaCakes118
- Size
  
  749KB
- MD5
  
  5016784605ad3fd883fbdfdd5fbd469f
- SHA1
  
  30100663d3d88d7399948f7f92602efcb70b5a86
- SHA256
  
  14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8
- SHA512
  
  3f61dac201d25c5cb8932e9bed8b762c6897462edf912091e6921f2895645908b64c91a779f8db0cac76a0ddae19808d9ba6ce7fb27cd0a0153c5bf20d01f116
- SSDEEP
  
  12288:INVtF21kgh6j10JGCDn3NVEoYFA5rId7ipJC:INVtEjcMfTpYC5cmHC
Score

10^/10

gozi 700 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi700bankerisfbpersistencetrojan

behavioral2

gozi700bankerisfbpersistencetrojan