gozi | 0de7ea82be4acb882af007b3912969da1af9a4dc31b057d0e8aa549ea24ee11b | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

321KB
Sample

230208-1ycneshc56
MD5

63378c08c181a297c7c22843e5f9347d
SHA1

40b101fe68b133df842398b9420891bde46a4793
SHA256

0de7ea82be4acb882af007b3912969da1af9a4dc31b057d0e8aa549ea24ee11b
SHA512

e05fa49d332182282a368e8386f59d4fe2caff810f0f1b3ba71d15d6ed311f98c68bb265dbc56e0c34e385075060de9006b1e882911969a6ebafe7324da42baf
SSDEEP

6144:QkiV/ACYyy92M8TMcC/TH0eD0c+Liq0v:Q1RA+a2NXCT0e49m

Score

10^/10

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220901-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20220812-en

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158

Attributes

base_path
/microsoft/
build
260255
exe_type
loader
extension
.acx
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Targets

- Target
  
  file.exe
- Size
  
  321KB
- MD5
  
  63378c08c181a297c7c22843e5f9347d
- SHA1
  
  40b101fe68b133df842398b9420891bde46a4793
- SHA256
  
  0de7ea82be4acb882af007b3912969da1af9a4dc31b057d0e8aa549ea24ee11b
- SHA512
  
  e05fa49d332182282a368e8386f59d4fe2caff810f0f1b3ba71d15d6ed311f98c68bb265dbc56e0c34e385075060de9006b1e882911969a6ebafe7324da42baf
- SSDEEP
  
  6144:QkiV/ACYyy92M8TMcC/TH0eD0c+Liq0v:Q1RA+a2NXCT0e49m
Score

10^/10

smokeloader backdoor trojan gozi laplas 1001 banker clipper isfb stealer
- Detects Smokeloader packer
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

gozilaplassmokeloader1001backdoorbankerclipperisfbstealertrojan

© 2018-2025

Terms | Privacy