gozi | 54663fd1d1312b20fb9ac3015ccf77ef094069c5719f5e0cdd71e8243a97a4c7 | Triage

Sharing

General

Target

36599208287637_182387937827.vbs
Size

2.0MB
Sample

241126-jw5gzsymgn
MD5

38b6d2b8eb400e54a5382b3b4b028639
SHA1

feedae24f937be7be234d213461e50f91e985e68
SHA256

54663fd1d1312b20fb9ac3015ccf77ef094069c5719f5e0cdd71e8243a97a4c7
SHA512

413b3bbd3367b2d414aeba286303baaf96a3ee932a0f11b9b2e1b387ce62a41c1d1a4718f235a9b7894bdf408dbb95a284ce77b464614bb8c3f4fe29367b27eb
SSDEEP

49152:DfEgMVfAz54XC5ocIaev2kkjxeGsiqxfnrq4lxIeGa0KVt+1nZiLLHhyoU8:+

Score

10^/10

gozi 63 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

63

C2

http://aaxvkah7dudzoloq.onion

http://cloud-start.at

http://mashallah.at

Attributes

build
217083
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  36599208287637_182387937827.vbs
- Size
  
  2.0MB
- MD5
  
  38b6d2b8eb400e54a5382b3b4b028639
- SHA1
  
  feedae24f937be7be234d213461e50f91e985e68
- SHA256
  
  54663fd1d1312b20fb9ac3015ccf77ef094069c5719f5e0cdd71e8243a97a4c7
- SHA512
  
  413b3bbd3367b2d414aeba286303baaf96a3ee932a0f11b9b2e1b387ce62a41c1d1a4718f235a9b7894bdf408dbb95a284ce77b464614bb8c3f4fe29367b27eb
- SSDEEP
  
  49152:DfEgMVfAz54XC5ocIaev2kkjxeGsiqxfnrq4lxIeGa0KVt+1nZiLLHhyoU8:+
Score

10^/10

gozi 63 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi63bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi63bankerdiscoveryisfbpersistencetrojan