gozi | e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a | Triage

Submit
Reports

Overview

overview

Static

static

e351ae6323...3a.exe

windows7-x64

e351ae6323...3a.exe

windows10-2004-x64

Sharing

General

Target

e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a
Size

251KB
Sample

221123-s8f5lagd3z
MD5

5a2464dd8d358eae6a7c4e3f34e2c397
SHA1

05bba1190ef667f51057f90b957ee1563bf1c0ee
SHA256

e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a
SHA512

93b528c9467413de1be7c798258aae93b1880ca2c2ea39d05594017b97e383edac7ff069a2f13d6b447658758a9c26632578e07a3289a5af68a06ec96168dc6e
SSDEEP

6144:4m6TcxBf15vI3hGYFaOH7j7eF3uREWRKRU1z:44xpQwYFa0H7exiNR1z

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe

Resource

win7-20221111-en

gozi 1000 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe

Resource

win10v2004-20221111-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

178.33.145.49/adwordsdata/dropbox/xxx

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a
- Size
  
  251KB
- MD5
  
  5a2464dd8d358eae6a7c4e3f34e2c397
- SHA1
  
  05bba1190ef667f51057f90b957ee1563bf1c0ee
- SHA256
  
  e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a
- SHA512
  
  93b528c9467413de1be7c798258aae93b1880ca2c2ea39d05594017b97e383edac7ff069a2f13d6b447658758a9c26632578e07a3289a5af68a06ec96168dc6e
- SSDEEP
  
  6144:4m6TcxBf15vI3hGYFaOH7j7eF3uREWRKRU1z:44xpQwYFa0H7exiNR1z
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy