gozi | e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a | Triage

Submit
Reports

Overview

overview

Static

static

e36d09b617...0a.exe

windows7-x64

e36d09b617...0a.exe

windows10-2004-x64

Sharing

General

Target

e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a
Size

343KB
Sample

221123-s8ea1agd3x
MD5

efffda899619ba79597af406f787b787
SHA1

5be622a908bc2d5fc00e45deaff65bd6b736d316
SHA256

e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a
SHA512

250746da9cd78f0a12bb42c54f99b3c032e1c856c68805afc7d7d2613a74d94b180713e390e708929d7755dede1b394ade80bf0744c9ca4023b49362ba536a75
SSDEEP

3072:CSJKYEGt6CHPwD4ineRY/LE/iiSfgNxi5wOFxhRjhrEYkE10xc9XhMXYaVYigu8u:34YEGhHA4qTE6Da0FhrTOxc9XhJu8u

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a.exe

Resource

win7-20220812-en

gozi 1000 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a.exe

Resource

win10v2004-20220812-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

organfriandpopul.su/bbr_src/utilites/xxx

alrthesecuritywith.su/bbr_src/utilites/xxx

circumstanceshave.su/bbr_src/utilites/xxx

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a
- Size
  
  343KB
- MD5
  
  efffda899619ba79597af406f787b787
- SHA1
  
  5be622a908bc2d5fc00e45deaff65bd6b736d316
- SHA256
  
  e36d09b617f45d7385e0794e3f18fe30bb02422bb4c6683ded46511e1ed8720a
- SHA512
  
  250746da9cd78f0a12bb42c54f99b3c032e1c856c68805afc7d7d2613a74d94b180713e390e708929d7755dede1b394ade80bf0744c9ca4023b49362ba536a75
- SSDEEP
  
  3072:CSJKYEGt6CHPwD4ineRY/LE/iiSfgNxi5wOFxhRjhrEYkE10xc9XhMXYaVYigu8u:34YEGhHA4qTE6Da0FhrTOxc9XhJu8u
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy