gozi | b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1 | Triage

Submit
Reports

Overview

overview

Static

static

b022589826...d1.exe

windows7-x64

b022589826...d1.exe

windows10-2004-x64

Sharing

General

Target

b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1
Size

251KB
Sample

221204-eky4lsec49
MD5

0c9d5b79ae769d2c011cba479a34b20b
SHA1

5dbd11b32ed6477d9208f3676cdf72b4bc38b7fa
SHA256

b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1
SHA512

4158b89e4b0f3e5b67566f1463bfcf0d3306a9119f893be1e937f93c43946712835046d92fcb6e8ccac6bae74c305138c393b50ccc62ea7219358943a7fffa18
SSDEEP

3072:SFEQJkdZxE9L96rEfa5MGdDJ1CMHQ7o0fNmeg9o4mvwpbDu/iYWJKt:SFvJkPxE/6bxfCMHQpNFsVmky6YWQ

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1.exe

Resource

win7-20221111-en

gozi 1000 banker isfb persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1.exe

Resource

win10v2004-20220812-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

goliathuz.com

musicvideoporntip3s.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1
- Size
  
  251KB
- MD5
  
  0c9d5b79ae769d2c011cba479a34b20b
- SHA1
  
  5dbd11b32ed6477d9208f3676cdf72b4bc38b7fa
- SHA256
  
  b022589826a7bc89a45d106fae7f45b8cd7c7e24da607808277ef493fdc6f3d1
- SHA512
  
  4158b89e4b0f3e5b67566f1463bfcf0d3306a9119f893be1e937f93c43946712835046d92fcb6e8ccac6bae74c305138c393b50ccc62ea7219358943a7fffa18
- SSDEEP
  
  3072:SFEQJkdZxE9L96rEfa5MGdDJ1CMHQ7o0fNmeg9o4mvwpbDu/iYWJKt:SFvJkPxE/6bxfCMHQpNFsVmky6YWQ
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy