gozi | 46b5874e9b9bb840ae324b04473097c3c295830df07f1c49511bf3c246199963 | Triage

Sharing

General

Target

JaffaCakes118_46b5874e9b9bb840ae324b04473097c3c295830df07f1c49511bf3c246199963
Size

282KB
Sample

241224-xvscxsvlcl
MD5

5a8240c95e632628c6715dcbd6beda2e
SHA1

a443e3a4202951fbeb4af0bd10fcdb818f0c58d4
SHA256

46b5874e9b9bb840ae324b04473097c3c295830df07f1c49511bf3c246199963
SHA512

50ff52ca9cbcd7fe98649c07b92e62b6a48c3c6c0645d10a603a39cc06161d6866ecfaa99fe1c56ddd347f51511578237e4abb5047b52d6de3d4e0399c119ffe
SSDEEP

6144:0IIYWs9kMPYVValUveAWZLbWt4XweBMVDY4DDb+XY28d+4nIp2fE:0dXMPYrElLbe2/B4DY8mI28dap2s

Score

10^/10

gozi 303 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

303

C2

http://aaxvkah7dudzoloq.onion

http://tahhir.at

http://limpopo.at

http://estate-advice.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01
- Size
  
  304KB
- MD5
  
  4c7aa22092360d14d5c799e0bd873d78
- SHA1
  
  64372fa56d6cac4c6ec49ea02f3a5ffe32566aa8
- SHA256
  
  3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01
- SHA512
  
  72d010a5c4ef66c2883410e7d93f9751db47267c91a3c52c24e9f5b39c3953e2a659c1552d88238b053001c4d29ee3fd65bafcc389281aa806c1a6e3cd161555
- SSDEEP
  
  6144:Kg4Myj0VKau5jfPcMhV2RRYgUvCwZsUpQitLZWVWJC9OfrOYujPy:kaVKbJcMhVEeRpaU38VQCUwm
Score

10^/10

gozi 303 banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi303bankerdiscoveryisfbpersistencetrojan

behavioral2

gozi303bankerdiscoveryisfbpersistencetrojan