gozi | 3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f | Triage

Submit
Reports

Overview

overview

Static

static

3b5da20c1a...6f.exe

windows7-x64

3b5da20c1a...6f.exe

windows10-2004-x64

Sharing

General

Target

3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f
Size

383KB
Sample

221123-v1r81ade3s
MD5

1f06e94d0fe50094a632018c625ff35b
SHA1

c1b0c111496158aa7630f5cebea2884f35ee8f57
SHA256

3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f
SHA512

4dd7624b0846061ff708d645a9ae95ccc133cf005a98f81050d6ffc8e578d8284a2c695b0f2718cea3b75dfb822dec7d2c84673aa68446950e319595b21e7407
SSDEEP

6144:ljx0Ssk2mAw93YPdHBpMGFm9Zi0w8LgnXYPToCKpDCSw7dXC6ALDq:px3sFmxyTFJ09snUoCKpDmVCo

Score

10^/10

gozi 1004 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f.exe

Resource

win7-20220812-en

gozi 1004 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f.exe

Resource

win10v2004-20220901-en

gozi 1004 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1004

C2

alefistacorm.ru

kashainterest.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f
- Size
  
  383KB
- MD5
  
  1f06e94d0fe50094a632018c625ff35b
- SHA1
  
  c1b0c111496158aa7630f5cebea2884f35ee8f57
- SHA256
  
  3b5da20c1a04ee07fe519a180c4343b9947b099fdfdc889f9f0e15d203ae1a6f
- SHA512
  
  4dd7624b0846061ff708d645a9ae95ccc133cf005a98f81050d6ffc8e578d8284a2c695b0f2718cea3b75dfb822dec7d2c84673aa68446950e319595b21e7407
- SSDEEP
  
  6144:ljx0Ssk2mAw93YPdHBpMGFm9Zi0w8LgnXYPToCKpDCSw7dXC6ALDq:px3sFmxyTFJ09snUoCKpDmVCo
Score

10^/10

gozi 1004 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1004bankerisfbpersistencetrojan

behavioral2

gozi1004bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy