gozi | 3352610c742bc85a12ad4d032fbd503f8a3d1d749433c9b9f2662925dae61a21

General

Target

ldr.exe
Size

188KB
MD5

db8f4fe3a8636105927ca84928c92c3b
SHA1

f2ecbfeb58ab58d6e7f2d5a01e678cddd8ad57b0
SHA256

3352610c742bc85a12ad4d032fbd503f8a3d1d749433c9b9f2662925dae61a21
SHA512

69fb94a4d99b4a926241096ee1471486968a62e2ec3e6c9060aac3879eaef588f006b9a60a970da7598d8a3d52ffe9bc5406bf706dd586b3a88cde3356bd9449
SSDEEP

3072:lsj2ssx0dfbTAlLVm6a7FM5DF6/UkVm/lSRJGT5ZI+ZfL8:g2sELVmV76lmJGT5n1

Score

10^/10

gozi 202211252 banker rm3 trojan

Malware Config

Extracted

Family

gozi

Attributes

build
301027

Extracted

Family

gozi

Botnet

202211252

C2

https://unitpores.com

Attributes

build
301027
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.html

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376135439"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1141B5D1-6CA8-11ED-91F2-D2F8C2B78FDE} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1176 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1176 iexplore.exe
1176 iexplore.exe
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE

pid	process
1176	iexplore.exe

pid	process
1176	iexplore.exe
1176	iexplore.exe
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1176 wrote to memory of 1812	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1812	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1812	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1812	1176	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ldr.exe
"C:\Users\Admin\AppData\Local\Temp\ldr.exe"
1⤵
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
155287dae8ebc52fb1854fc884d80235

SHA1
e82a36f54e1e988369730a83385c61acc958f0a1

SHA256
7eaaacbc3338da9dd3a43edc65f776eba925cc3793ae90ac50bd9124fa6bc5c1

SHA512
6072d8b9b941293289ad4b8d4be995dd5c9f64bb7623f845f6ebfca47ec3582167583f272daf376280a0013c7b20a3f4e27bafe583ffd22ab8b2ff30f31423a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IDTN8KHT.txt
Filesize
601B

MD5
67370f355874acce2936a9765635e615

SHA1
9fd713811faff5165abff769bb874c57659eca3d

SHA256
1f4d2f567ba25ec3b590ef15461d959794a911ccaa077cf2d5029a7d700895c7

SHA512
9f0820214f333df884d06b954048af77d2a2c3ff4f0b2883370bd56ae3c0dd08ed1721a6a00711afc5bd31a3f63ad626d6bfa4bc4be6e933c905a4686ead2ca4

Download Submit
memory/1052-54-0x000000000060B000-0x000000000061C000-memory.dmp

Filesize
68KB

Download
memory/1052-55-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1052-56-0x0000000001000000-0x000000000124C000-memory.dmp

Filesize
2.3MB

Download
memory/1052-57-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1052-58-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/1052-64-0x000000000060B000-0x000000000061C000-memory.dmp

Filesize
68KB

Download
memory/1052-65-0x0000000001000000-0x000000000124C000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads