gozi | 2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c | Triage

Submit
Reports

Overview

overview

Static

static

2da70ec19c...3c.exe

windows7-x64

2da70ec19c...3c.exe

windows10-2004-x64

Sharing

General

Target

2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c
Size

506KB
Sample

221128-b8gyfsah3w
MD5

1021c89494503fdec076272280957248
SHA1

3aad175ba9003458dd33846c024a09ae989e0686
SHA256

2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c
SHA512

64cbee371c3729418d6055bd7f67accd42d2c240ffe1bb1f8302056ef7c67d07f07401798862b13df459c3f71864c056929033b6d9eecce3668ed2edc907ce5e
SSDEEP

12288:cxvqLRvMeJeAYgZ0N8+VI9Hx9tRYhHAwpXeE:cxfeJezgk8+VCEhHAwp

Score

10^/10

gozi 2782923 banker isfb persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c.exe

Resource

win7-20220812-en

gozi 2782923 banker isfb persistence ransomware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c.exe

Resource

win10v2004-20220812-en

gozi 2782923 banker isfb persistence ransomware trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2782923

C2

tmadecorrespondence.com

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c
- Size
  
  506KB
- MD5
  
  1021c89494503fdec076272280957248
- SHA1
  
  3aad175ba9003458dd33846c024a09ae989e0686
- SHA256
  
  2da70ec19ccc974521025ffc8f32a1983b6517d1151ef4943c69d062954d3d3c
- SHA512
  
  64cbee371c3729418d6055bd7f67accd42d2c240ffe1bb1f8302056ef7c67d07f07401798862b13df459c3f71864c056929033b6d9eecce3668ed2edc907ce5e
- SSDEEP
  
  12288:cxvqLRvMeJeAYgZ0N8+VI9Hx9tRYhHAwpXeE:cxfeJezgk8+VCEhHAwp
Score

10^/10

gozi 2782923 banker isfb persistence ransomware trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Tasks

static1

behavioral1

gozi2782923bankerisfbpersistenceransomwaretrojan

behavioral2

gozi2782923bankerisfbpersistenceransomwaretrojan

© 2018-2024

Terms | Privacy