gozi | 9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96 | Triage

Submit
Reports

Overview

overview

Static

static

9d7301c67f...96.exe

windows10-2004-x64

Resubmissions

29/12/2022, 04:29

221229-e38qrscc96 10

27/12/2022, 22:01

221227-1xk86sbg2s 10

Sharing

Copy URL Twitter E-mail

General

Target

9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96
Size

301KB
Sample

221229-e38qrscc96
MD5

2696436262a5e030ee3ea3957fed4c9a
SHA1

7dc56a360e948a0f9818abc5dbe1264e3595c054
SHA256

9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96
SHA512

180f8cdd55fd7454a40053f4e1ad962fb6b1374a24a10ccd00027cbd6e480259084131c11ca8d259ed3557ad9ecd9b09d1076ba437a1c685845e8b59d7735531
SSDEEP

6144:NTLZ0WbjOnFu5ROu41+xgp/9UZdLaYon5Jk4eROw:Jl0BuvOzUdin5JF

Score

10^/10

gozi smokeloader 22500 backdoor banker isfb persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96.exe

Resource

win10v2004-20220812-en

gozi smokeloader 22500 backdoor banker isfb persistence trojan

windows10-2004-x64

31 signatures

1800 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7

Attributes

base_path
/recycle/
build
250249
exe_type
loader
extension
.alo
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://5icvzwz.xyz

http://185.14.45.80

Attributes

base_path
/recycle/
build
250249
exe_type
worker
extension
.alo
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96
- Size
  
  301KB
- MD5
  
  2696436262a5e030ee3ea3957fed4c9a
- SHA1
  
  7dc56a360e948a0f9818abc5dbe1264e3595c054
- SHA256
  
  9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96
- SHA512
  
  180f8cdd55fd7454a40053f4e1ad962fb6b1374a24a10ccd00027cbd6e480259084131c11ca8d259ed3557ad9ecd9b09d1076ba437a1c685845e8b59d7735531
- SSDEEP
  
  6144:NTLZ0WbjOnFu5ROu41+xgp/9UZdLaYon5Jk4eROw:Jl0BuvOzUdin5JF
Score

10^/10

gozi smokeloader 22500 backdoor banker isfb persistence trojan
- Detects Smokeloader packer
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozismokeloader22500backdoorbankerisfbpersistencetrojan

© 2018-2025

Terms | Privacy