gozi | 1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750 | Triage

Submit
Reports

Overview

overview

Static

static

1513b9c538...50.exe

windows7-x64

1513b9c538...50.exe

windows10-2004-x64

Sharing

General

Target

1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750
Size

262KB
Sample

221125-j7bdaadc69
MD5

eaaaeb6d2d4ff29de8538fa269764ee2
SHA1

548f7d585e57479f7f9028586652182fd0c1eeec
SHA256

1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750
SHA512

d3cfccccef1f5d6af60aa52f72bfae861ddea939b8d93873dc6a9f417447dfc3155f931d5220606d5a090051aba8e1d8901be6166a18404ea5281aec562a4f86
SSDEEP

6144:1CDPGMZNukyinobUk0zPLHPu3xLb4iJTC1srF:1AO4/yin9fPLQX4ku2r

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750.exe

Resource

win7-20221111-en

gozi 1000 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750.exe

Resource

win10v2004-20220812-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750
- Size
  
  262KB
- MD5
  
  eaaaeb6d2d4ff29de8538fa269764ee2
- SHA1
  
  548f7d585e57479f7f9028586652182fd0c1eeec
- SHA256
  
  1513b9c5388526ffd54d792940662c3657be4c88c996d5e8a5a00bef62d0e750
- SHA512
  
  d3cfccccef1f5d6af60aa52f72bfae861ddea939b8d93873dc6a9f417447dfc3155f931d5220606d5a090051aba8e1d8901be6166a18404ea5281aec562a4f86
- SSDEEP
  
  6144:1CDPGMZNukyinobUk0zPLHPu3xLb4iJTC1srF:1AO4/yin9fPLQX4ku2r
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy