gozi | fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a | Triage

Submit
Reports

Overview

overview

Static

static

fcf0794f4c...9a.exe

windows7-x64

fcf0794f4c...9a.exe

windows10-2004-x64

Sharing

General

Target

fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a
Size

288KB
Sample

221127-rwwh3sdh89
MD5

0b6df2838e0eb797fe43700fde1a13d2
SHA1

83dc0a5bb4c68c7146df0f8fe59bc958888304bd
SHA256

fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a
SHA512

97854e83ea45d8e31dda9c8f0685281d1af9e73f41b2df170b781075fd106143340d16fee24dfb8453b3e187a2b95b0b9f0dad5a08f11c7e4602822821503739
SSDEEP

6144:wUk5hN+hPNHAniFBX0OCfRUTHsZ6T44fYXzYfOJnrLi4U+Ep3:wUk5vwHaglpTHsm4qYXcWJnrLi4U+Ep3

Score

10^/10

gozi 2000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a.exe

Resource

win7-20220812-en

gozi 2000 banker isfb persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a.exe

Resource

win10v2004-20221111-en

gozi 2000 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2000

C2

tandem88.ru

janetly741.ru

juano229.ru

bumbo998.ru

chiko99.ru

Attributes

build
212507
exe_type
worker
server_id
93

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a
- Size
  
  288KB
- MD5
  
  0b6df2838e0eb797fe43700fde1a13d2
- SHA1
  
  83dc0a5bb4c68c7146df0f8fe59bc958888304bd
- SHA256
  
  fcf0794f4c7c678763286e84d32d1451199e1fd1695fe21867955fa04dcae89a
- SHA512
  
  97854e83ea45d8e31dda9c8f0685281d1af9e73f41b2df170b781075fd106143340d16fee24dfb8453b3e187a2b95b0b9f0dad5a08f11c7e4602822821503739
- SSDEEP
  
  6144:wUk5hN+hPNHAniFBX0OCfRUTHsZ6T44fYXzYfOJnrLi4U+Ep3:wUk5vwHaglpTHsm4qYXcWJnrLi4U+Ep3
Score

10^/10

gozi 2000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi2000bankerisfbpersistencetrojan

behavioral2

gozi2000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy