gozi | b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100 | Triage

Submit
Reports

Overview

overview

Static

static

b245dd6cd4...00.exe

windows7-x64

b245dd6cd4...00.exe

windows10-2004-x64

Sharing

General

Target

b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100
Size

241KB
Sample

221125-h2n7hsdg6x
MD5

bd201f6a7411a44b851194ee1363695c
SHA1

377ed077f7b644eb261c222711b82659502b2d67
SHA256

b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100
SHA512

2a6b67dade828bb28b5a2169d2d4a383221dc43b1e796353988c6892ebd204c61dee90e025e3a4b4aa398de2b88530ce877bc2eea1e0fae828d04cf38c3aeab2
SSDEEP

3072:KCXt3t8uWbNsDMzT00HaJ2W5GinS8f4gj6ErWqQH4DNWUvk5LpnArGxh3T:3NWaDM80HG2+Gr8PzrWTAYUvkphHh

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100.exe

Resource

win7-20221111-en

gozi 1000 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100.exe

Resource

win10v2004-20220812-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100
- Size
  
  241KB
- MD5
  
  bd201f6a7411a44b851194ee1363695c
- SHA1
  
  377ed077f7b644eb261c222711b82659502b2d67
- SHA256
  
  b245dd6cd46945ef849adf6e11e7125298238d51891778895fb31aae06e9f100
- SHA512
  
  2a6b67dade828bb28b5a2169d2d4a383221dc43b1e796353988c6892ebd204c61dee90e025e3a4b4aa398de2b88530ce877bc2eea1e0fae828d04cf38c3aeab2
- SSDEEP
  
  3072:KCXt3t8uWbNsDMzT00HaJ2W5GinS8f4gj6ErWqQH4DNWUvk5LpnArGxh3T:3NWaDM80HG2+Gr8PzrWTAYUvkphHh
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy