General
-
Target
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
-
Size
314KB
-
Sample
221029-q6j3csaehp
-
MD5
e0e2f137d0ef1d11048e17939d8cbde2
-
SHA1
f38131561bb462dece03f2733c5038013ecce24c
-
SHA256
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
-
SHA512
7d6c4e6e22182d51cd19194e76a9bb31960072b68bc7f986a00cf5bd7a90f06f47017de090074e18f84fbb8c4790ca1fecbff57fdfb9bbe4557ebd4fbb221671
-
SSDEEP
6144:d5LMc6W0CMk2TBqx8p1668QblbUebV5k2FiZRX7Zp7j9:rT6tC72Tsx8p166xFbVCuiZZv7j
Static task
static1
Behavioral task
behavioral1
Sample
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
gozi
Extracted
gozi
1010
sys.naturallymewraps.com/geodata/version/ip2ext
nan.bocalee.com/geodata/version/ip2ext
sys.aronzvi.com/geodata/version/ip2ext
lan.hayloindigo.com/geodata/version/ip2ext
lansystemstat.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Targets
-
-
Target
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
-
Size
314KB
-
MD5
e0e2f137d0ef1d11048e17939d8cbde2
-
SHA1
f38131561bb462dece03f2733c5038013ecce24c
-
SHA256
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
-
SHA512
7d6c4e6e22182d51cd19194e76a9bb31960072b68bc7f986a00cf5bd7a90f06f47017de090074e18f84fbb8c4790ca1fecbff57fdfb9bbe4557ebd4fbb221671
-
SSDEEP
6144:d5LMc6W0CMk2TBqx8p1668QblbUebV5k2FiZRX7Zp7j9:rT6tC72Tsx8p166xFbVCuiZZv7j
Score10/10-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-