gozi | b4211893ad2b50f6999dd14af4609377030bc0bfebc5dbb370589cf098cb6cd3

Analysis

max time kernel
139s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-12-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00000810.dll
Size

3.1MB
MD5

a05655987e5eab2fd5dc6a27685208f6
SHA1

a2eecf5f7d4bbe9e837122be023022339095a02d
SHA256

b4211893ad2b50f6999dd14af4609377030bc0bfebc5dbb370589cf098cb6cd3
SHA512

c5e80fb3ed68aa2fc916b4ef0ced4b6f157508e93a6891450476d65ef61ab026d3ea39c8b37c7e71d2eafb0ce3bc84da7d14edad56108205a9a162be9d09d0ce
SSDEEP

49152:8TtALAAAAAAAAP7AAAAAAAAAAM3AAAAAAfACziallWAAAA6AAAAAAAAAAAqAAAAC:SACg9tmG4dpu

Score

10^/10

gozi 202211171 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

202211171

https://noiress.xyz

https://ofdore.xyz

Attributes

host_keep_time
2
host_shift_time
5
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1636 systeminfo.exe

pid	process
1636	systeminfo.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1240	1340	regsvr32.exe	cmd.exe
PID 1340 wrote to memory of 1240	1340	regsvr32.exe	cmd.exe
PID 1340 wrote to memory of 1240	1340	regsvr32.exe	cmd.exe
PID 1240 wrote to memory of 1636	1240	cmd.exe	systeminfo.exe
PID 1240 wrote to memory of 1636	1240	cmd.exe	systeminfo.exe
PID 1240 wrote to memory of 1636	1240	cmd.exe	systeminfo.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\00000810.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\cmd.exe
cmd /c "systeminfo" >> C:\Users\Admin\AppData\Local\Temp\6054.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6054.tmp
Filesize
2KB

MD5
bdc4df43cbcb9ec761b27e90d52acf07

SHA1
6eb936484393813bf7d282676f6d396b0e704790

SHA256
3dd75ea0e60cf062113d8ee923202f23080a1336ec8e88a88d1682ef9698d8d2

SHA512
ac4c77cad4b787b8904b5d1c892d4963066a7f01338e8b5cb44238c16cf22710df37ed6343aad6a73d353a689271038f07e00c5ee6c4d2338ca06b49d31d3ee1

Download Submit
memory/1240-64-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1340-55-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/1340-59-0x0000000000140000-0x0000000000153000-memory.dmp

Filesize
76KB

Download
memory/1636-65-0x0000000000000000-mapping.dmp

Download