gozi | 529703b6eb07ca5fd66dd13fc050250a6d81e4a78a27ac062c919825e2734e3d | Triage

Sharing

General

Target

3c04b66bac4da25cab371b8b4eff27a0_JaffaCakes118
Size

379KB
Sample

241012-zvh6csvgql
MD5

3c04b66bac4da25cab371b8b4eff27a0
SHA1

4baf4140dca85d3417d28a991b9d3f56d5df8d59
SHA256

529703b6eb07ca5fd66dd13fc050250a6d81e4a78a27ac062c919825e2734e3d
SHA512

550abb295b91e5d23267ecdc57c2c4cfbbbdfccf300b64e4eaad5245f704e32fcff0e5991595973f50ad5982c7822a25738f81382e4c4fc06f97058e2f7a9c83
SSDEEP

6144:B7qdqAPhbXKdiT5CQJjK4Rqhv5ZD4eadxrNbp8MpjAeuLTDUp/1Y7jB:BhAP16ETY0jVGZD4ZRNbp8AUeyDUp9Yx

Score

10^/10

gozi 1002 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1002

C2

romaya.ru

matashka.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3c04b66bac4da25cab371b8b4eff27a0_JaffaCakes118
- Size
  
  379KB
- MD5
  
  3c04b66bac4da25cab371b8b4eff27a0
- SHA1
  
  4baf4140dca85d3417d28a991b9d3f56d5df8d59
- SHA256
  
  529703b6eb07ca5fd66dd13fc050250a6d81e4a78a27ac062c919825e2734e3d
- SHA512
  
  550abb295b91e5d23267ecdc57c2c4cfbbbdfccf300b64e4eaad5245f704e32fcff0e5991595973f50ad5982c7822a25738f81382e4c4fc06f97058e2f7a9c83
- SSDEEP
  
  6144:B7qdqAPhbXKdiT5CQJjK4Rqhv5ZD4eadxrNbp8MpjAeuLTDUp/1Y7jB:BhAP16ETY0jVGZD4ZRNbp8AUeyDUp9Yx
Score

10^/10

gozi 1002 banker discovery isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1002bankerdiscoveryisfbtrojan

behavioral2

gozi1002bankerdiscoveryisfbtrojan