gozi | 481821d0313006387cdb23cce4829f157c3f299e6ccbe284aeecf322826d2c7e | Triage

Sharing

General

Target

9e30414d0fc9fbe797e41cab5100a714_JaffaCakes118
Size

351KB
Sample

241125-1496wayph1
MD5

9e30414d0fc9fbe797e41cab5100a714
SHA1

b7f8accc729abc276a0510657becab414506d789
SHA256

481821d0313006387cdb23cce4829f157c3f299e6ccbe284aeecf322826d2c7e
SHA512

cfea07aae4ade705e57479ff8fb242b2a7407baa68260e4a0dd7ce77975e58026348cc9a41dfd2324a6ea45bff1a7e831c42ac065e1c7462ca777e5cabaf4fa6
SSDEEP

6144:O0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:OBNfORjVOB7xDQ1AD2qGrJe3q9Yn

Score

10^/10

gozi 1010 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  9e30414d0fc9fbe797e41cab5100a714_JaffaCakes118
- Size
  
  351KB
- MD5
  
  9e30414d0fc9fbe797e41cab5100a714
- SHA1
  
  b7f8accc729abc276a0510657becab414506d789
- SHA256
  
  481821d0313006387cdb23cce4829f157c3f299e6ccbe284aeecf322826d2c7e
- SHA512
  
  cfea07aae4ade705e57479ff8fb242b2a7407baa68260e4a0dd7ce77975e58026348cc9a41dfd2324a6ea45bff1a7e831c42ac065e1c7462ca777e5cabaf4fa6
- SSDEEP
  
  6144:O0y3NRJO22A8oos+W0OBMgxDy1+yAD2qGr5Pe3q9Yng:OBNfORjVOB7xDQ1AD2qGrJe3q9Yn
Score

10^/10

gozi 1010 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1010bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi1010bankerdiscoveryisfbpersistencetrojan