gozi | 44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236 | Triage

Resubmissions

25/03/2025, 21:22

250325-z7241awn18 10

25/03/2025, 21:19

250325-z553wasxfy 10

25/03/2025, 21:15

250325-z39chswnx3 10

Sharing

General

Target

44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236.zip
Size

218KB
Sample

250325-z7241awn18
MD5

a30bdbf2b6940c6020d53a34d46afe9e
SHA1

dbedd0d36a3365c558af5f0968e190a81edc8401
SHA256

44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236
SHA512

ba79e9a8cae53800bf47bf7845348b0c8e4c33c10857707bdbbb4aacdf3c039968d974b1e4942652f1c46ec10a3a838e10c87799e6a93f8caffd900b42c428b4
SSDEEP

3072:J4KlbvpA+O26/A0TxqL1n4vjb5WF9ycvpYLjgZpuU3cSSERReMhL0I4qP5pY:J4KldjyDlqLR4LbEDyc6UpDcSfeMPdi

Score

10^/10

gozi 3300 banker discovery execution isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

C2

addlock.mitial.at/api1

Attributes

build
250141
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236.zip
- Size
  
  218KB
- MD5
  
  a30bdbf2b6940c6020d53a34d46afe9e
- SHA1
  
  dbedd0d36a3365c558af5f0968e190a81edc8401
- SHA256
  
  44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236
- SHA512
  
  ba79e9a8cae53800bf47bf7845348b0c8e4c33c10857707bdbbb4aacdf3c039968d974b1e4942652f1c46ec10a3a838e10c87799e6a93f8caffd900b42c428b4
- SSDEEP
  
  3072:J4KlbvpA+O26/A0TxqL1n4vjb5WF9ycvpYLjgZpuU3cSSERReMhL0I4qP5pY:J4KldjyDlqLR4LbEDyc6UpDcSfeMPdi
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
- Size
  
  1.3MB
- MD5
  
  34686f47e7d2f9206fd5dab3814ed870
- SHA1
  
  447fbec5fb2ffe97d839ce8ed56a75383dca02c1
- SHA256
  
  60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30
- SHA512
  
  092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076
- SSDEEP
  
  6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA
Score

10^/10

gozi 3300 banker discovery execution isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

gozi3300bankerdiscoveryexecutionisfbtrojan

behavioral4

gozi3300bankerdiscoveryexecutionisfbtrojan