gozi | d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674 | Triage

Submit
Reports

Overview

overview

Static

static

d5ebcdac45...74.exe

windows7-x64

d5ebcdac45...74.exe

windows10-2004-x64

Sharing

General

Target

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674
Size

305KB
Sample

221128-j7mfjshc85
MD5

f4cdbef32c96169f9194b6b33b3f7c26
SHA1

53d0738923bcd20bddf9e280d281a81225378162
SHA256

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674
SHA512

de2ee95658cfe3dd78a688932dd140849b04b7f6da869294d486326a010ccb6137264a4f924f88b4c4e3c6584399aa869ef6ec912e1d54b87ca05b67b4f861b9
SSDEEP

6144:VId7WQ8X2rBWueOlQb2NOShT5RmUjD5uT:Vw7L+2rBWuFltF8UjD5uT

Score

10^/10

gozi 1010 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Resource

win7-20221111-en

gozi 1010 banker isfb persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Resource

win10v2004-20221111-en

gozi 1010 banker isfb persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

redwoodmotors.ru

pampers-globalworld.ru

pinkfloyd-mp3love.ru

sosandhelpconnect.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674
- Size
  
  305KB
- MD5
  
  f4cdbef32c96169f9194b6b33b3f7c26
- SHA1
  
  53d0738923bcd20bddf9e280d281a81225378162
- SHA256
  
  d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674
- SHA512
  
  de2ee95658cfe3dd78a688932dd140849b04b7f6da869294d486326a010ccb6137264a4f924f88b4c4e3c6584399aa869ef6ec912e1d54b87ca05b67b4f861b9
- SSDEEP
  
  6144:VId7WQ8X2rBWueOlQb2NOShT5RmUjD5uT:Vw7L+2rBWuFltF8UjD5uT
Score

10^/10

gozi 1010 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1010bankerisfbpersistencetrojan

behavioral2

gozi1010bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy