gozi | 500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

500716a46d...81.exe

windows7-x64

500716a46d...81.exe

windows10-2004-x64

Sharing

General

Target

500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781
Size

243KB
Sample

221127-xpk2nabd43
MD5

c2db310b19a07816183638816938eb5d
SHA1

ea5d7cfd5d278f019a77b99cfac9a8e0709d591e
SHA256

500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781
SHA512

54cd7c8c5b100e222dd53f338f6f4b8d2fb1fc55db36e848288881b1b5e4ad8200b0cc45d2d36f54bff9faff55e4d49a54a17b866687d2905789a20375eaf772
SSDEEP

6144:x4y6j8ncpnrKlEtSfTKfRn/kXfMbpuUW:uVAcpnulEEfWfR/YMbp

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe

Resource

win7-20220812-en

gozi 1000 banker isfb persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe

Resource

win10v2004-20221111-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781
- Size
  
  243KB
- MD5
  
  c2db310b19a07816183638816938eb5d
- SHA1
  
  ea5d7cfd5d278f019a77b99cfac9a8e0709d591e
- SHA256
  
  500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781
- SHA512
  
  54cd7c8c5b100e222dd53f338f6f4b8d2fb1fc55db36e848288881b1b5e4ad8200b0cc45d2d36f54bff9faff55e4d49a54a17b866687d2905789a20375eaf772
- SSDEEP
  
  6144:x4y6j8ncpnrKlEtSfTKfRn/kXfMbpuUW:uVAcpnulEEfWfR/YMbp
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2025

Terms | Privacy