gozi | 05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36 | Triage

Submit
Reports

Overview

overview

Static

static

05ee1eca0b...36.exe

windows7-x64

05ee1eca0b...36.exe

windows10-2004-x64

Sharing

General

Target

05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36
Size

386KB
Sample

221126-s7c2jshf5z
MD5

6fa26b5a051dfd46f88b7afd8a3cca2f
SHA1

da72c68b166bb625155f45fa384f751221dcf83f
SHA256

05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36
SHA512

35a0a1ed114891bc9906ed17b42c62cab234ee873425357ae8750807b15d24635cb170f430fb321d52ed0f98d34c8040c6f2ac732d3e866eeec4c8ff18ba956f
SSDEEP

6144:x3rdqFza2ihKec2XddzyXThYxoM3pYdW1G0musNy2u5pndAj:xRya2P2XbzyXlY+M3WdW1XLsNy2iAj

Score

10^/10

gozi 1010 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36.exe

Resource

win7-20221111-en

gozi 1010 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36.exe

Resource

win10v2004-20221111-en

gozi 1010 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

neftinetinebudet.net/geodata/version/ip2ext

staticstoday.com/geodata/version/ip2ext

Attributes

build
212436
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36
- Size
  
  386KB
- MD5
  
  6fa26b5a051dfd46f88b7afd8a3cca2f
- SHA1
  
  da72c68b166bb625155f45fa384f751221dcf83f
- SHA256
  
  05ee1eca0bc8ac75f287f6e4f9d813822147af9b4ff0f050e9574c884f8a5f36
- SHA512
  
  35a0a1ed114891bc9906ed17b42c62cab234ee873425357ae8750807b15d24635cb170f430fb321d52ed0f98d34c8040c6f2ac732d3e866eeec4c8ff18ba956f
- SSDEEP
  
  6144:x3rdqFza2ihKec2XddzyXThYxoM3pYdW1G0musNy2u5pndAj:xRya2P2XbzyXlY+M3WdW1XLsNy2iAj
Score

10^/10

gozi 1010 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1010bankerisfbpersistencetrojan

behavioral2

gozi1010bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy