gozi | b53e33675de30f4bf86518bc21c104bc88ee97025b3a47d8c697b0539e50cd34 | Triage

Sharing

General

Target

f3d8f2cf1d8faf3bf57fa4fb53f28140_JaffaCakes118
Size

228KB
Sample

241215-nwzc7asrat
MD5

f3d8f2cf1d8faf3bf57fa4fb53f28140
SHA1

00490312cd86766657bb413e66deb81144ed3a96
SHA256

b53e33675de30f4bf86518bc21c104bc88ee97025b3a47d8c697b0539e50cd34
SHA512

c14c5149fd7daaf0987a829bd3157e5ad5e70c746fa67347393cbb0bc92e74ddcfba1ed435edaa01b4bc54ccdac84338ab46d34ceb551401026b6254ebb79b50
SSDEEP

3072:hC0fyjm4tt4JVJrwfv1hdjZhsfYy3tXwpY1GMOJd4t1p+srU3qH4VdW2Ujuy/zSz:FydttkVJrqxLAwVMO+v+sSEdK

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

rababyici.com

vurufvapu.com

nighibnos.com

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  f3d8f2cf1d8faf3bf57fa4fb53f28140_JaffaCakes118
- Size
  
  228KB
- MD5
  
  f3d8f2cf1d8faf3bf57fa4fb53f28140
- SHA1
  
  00490312cd86766657bb413e66deb81144ed3a96
- SHA256
  
  b53e33675de30f4bf86518bc21c104bc88ee97025b3a47d8c697b0539e50cd34
- SHA512
  
  c14c5149fd7daaf0987a829bd3157e5ad5e70c746fa67347393cbb0bc92e74ddcfba1ed435edaa01b4bc54ccdac84338ab46d34ceb551401026b6254ebb79b50
- SSDEEP
  
  3072:hC0fyjm4tt4JVJrwfv1hdjZhsfYy3tXwpY1GMOJd4t1p+srU3qH4VdW2Ujuy/zSz:FydttkVJrqxLAwVMO+v+sSEdK
Score

10^/10

gozi 1000 banker discovery isfb trojan persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerdiscoveryisfbtrojan

behavioral2

gozi1000bankerdiscoveryisfbpersistencetrojan