gozi | 66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5 | Triage

Sharing

General

Target

66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5
Size

626KB
Sample

241221-v91lqsvlbs
MD5

9fe1f95e8964506d56a27c7adc949039
SHA1

3fe9c746400e15ae08b1d95e454f89d26e273b69
SHA256

66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5
SHA512

fc3fb00c324966fbd80203020da6831e473f6a6ca3bb828d642404021d1785adb404e6a56420b043b529e76e50c619893acae4f0e8a62f1c2c87b4d67ffc5f69
SSDEEP

12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zz:+w1lEKOpuYxiwkkgjAN8Zz

Score

10^/10

gozi 999 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes

base_path
/phpadmin/
build
250227
exe_type
loader
extension
.src
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5
- Size
  
  626KB
- MD5
  
  9fe1f95e8964506d56a27c7adc949039
- SHA1
  
  3fe9c746400e15ae08b1d95e454f89d26e273b69
- SHA256
  
  66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5
- SHA512
  
  fc3fb00c324966fbd80203020da6831e473f6a6ca3bb828d642404021d1785adb404e6a56420b043b529e76e50c619893acae4f0e8a62f1c2c87b4d67ffc5f69
- SSDEEP
  
  12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zz:+w1lEKOpuYxiwkkgjAN8Zz
Score

10^/10

gozi 999 banker discovery isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi999bankerdiscoveryisfbtrojan

behavioral2

gozi999bankerdiscoveryisfbtrojan