gozi | 3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b | Triage

Sharing

General

Target

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118
Size

586KB
Sample

240523-gtqvpsfh54
MD5

69fb0b7092d4f247ac065abc6b06042b
SHA1

8d8d9b846e2f4624063806291c5875953d67457c
SHA256

3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
SHA512

4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
SSDEEP

12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f

Score

10^/10

gozi 1100 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1100

C2

cyajon.at/krp3cmg

outaplaceshave.cn/krp3cmg

nozakin.at/krp3cmg

hothegivforsuffer.cn/krp3cmg

austrinok.at/krp3cmg

comerail.su/krp3cmg

ambieko.at/krp3cmg

justiceseasfriends.cn/krp3cmg

semitrol.at/krp3cmg

goinumder.su/krp3cmg

arexan.at/krp3cmg

trepeatedandequal.cn/krp3cmg

golovor.at/krp3cmg

therepalon.su/krp3cmg

creatortherefore.cn/krp3cmg

Attributes

build
214798
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
110

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118
- Size
  
  586KB
- MD5
  
  69fb0b7092d4f247ac065abc6b06042b
- SHA1
  
  8d8d9b846e2f4624063806291c5875953d67457c
- SHA256
  
  3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
- SHA512
  
  4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
- SSDEEP
  
  12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f
Score

10^/10

gozi 1100 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi1100bankerisfbpersistencetrojan

behavioral2

gozi1100bankerisfbpersistencetrojan