gozi | fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef | Triage

Submit
Reports

Overview

overview

Static

static

fb66da43a5...ef.exe

windows7-x64

fb66da43a5...ef.exe

windows10-2004-x64

Sharing

General

Target

fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef
Size

316KB
Sample

221128-xxcp9aaa87
MD5

1ffdeddc1c8a3b697f27c56a17f38c4d
SHA1

f9182674f8c3206147878a5a4ccd5851ae71b43e
SHA256

fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef
SHA512

b7c39acec50e9960854d1de42f4eb9bfae54eed832b21ab6f14aa8ee4490d156064fa318fed9078c9f4a87ce34fd43006d71ad7c2b693c0c706afd139a139cc3
SSDEEP

6144:7zslDnz2P0qh2aiWShzRfowVwBxDVzoC+zwaZIC+D5nHnnHnnHnHnXXXnnnnn33g:UlDnqs821WiZNADVNbY2nHnnHnnHnHnw

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef.exe

Resource

win7-20220812-en

gozi 1000 banker isfb persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef.exe

Resource

win10v2004-20221111-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

redwoodmotors.ru

pampers-globalworld.ru

pinkfloyd-mp3love.ru

sosandhelpconnect.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef
- Size
  
  316KB
- MD5
  
  1ffdeddc1c8a3b697f27c56a17f38c4d
- SHA1
  
  f9182674f8c3206147878a5a4ccd5851ae71b43e
- SHA256
  
  fb66da43a5b6f7e9511491cc6e8c5347d021a5b77535783d72d58b56055888ef
- SHA512
  
  b7c39acec50e9960854d1de42f4eb9bfae54eed832b21ab6f14aa8ee4490d156064fa318fed9078c9f4a87ce34fd43006d71ad7c2b693c0c706afd139a139cc3
- SSDEEP
  
  6144:7zslDnz2P0qh2aiWShzRfowVwBxDVzoC+zwaZIC+D5nHnnHnnHnHnXXXnnnnn33g:UlDnqs821WiZNADVNbY2nHnnHnnHnHnw
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy