gozi | 732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693 | Triage

Sharing

General

Target

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.exe
Size

672KB
Sample

241111-aknwesxncx
MD5

727235afc25234c92c82e99c05a9f0c8
SHA1

a200141f482b8d470e0a3c1a7638a74df9987920
SHA256

732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693
SHA512

94eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9
SSDEEP

12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNR:97EIeewHNIAIiRmQ9ujeNR

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://maiamirainy.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.exe
- Size
  
  672KB
- MD5
  
  727235afc25234c92c82e99c05a9f0c8
- SHA1
  
  a200141f482b8d470e0a3c1a7638a74df9987920
- SHA256
  
  732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693
- SHA512
  
  94eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9
- SSDEEP
  
  12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNR:97EIeewHNIAIiRmQ9ujeNR
Score

10^/10

gozi 1000 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi1000bankerdiscoveryisfbpersistencetrojan