gozi | f4b9bed143b714df0405531aa041fe29bfdecc5e10cfe97002687217fd95cc11 | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

file
Size

314KB
Sample

230208-qt543abb53
MD5

5cff4c33cbc6e1ccf53952ac54aef16c
SHA1

ec660378cc11724e3914b9f8faec488fc228573b
SHA256

f4b9bed143b714df0405531aa041fe29bfdecc5e10cfe97002687217fd95cc11
SHA512

4ed147624483079a6c9276603f8ea662bb89e34dbdaacce451c86090241862ac46e38f3be7dc883d6574484b28062c0d13f387051d1cd42afe78f122c0557a9a
SSDEEP

3072:Lwz0dZZ+B7uOuRpm8fOCbKyEWIcXqjyYFYaTmRLStKRxhUwEbj:Lu0byubph2qErcQHmgtKBEX

Score

10^/10

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20221111-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20221111-en

gozi laplas smokeloader 1001 backdoor banker clipper isfb stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158

Attributes

base_path
/microsoft/
build
260255
exe_type
loader
extension
.acx
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Targets

- Target
  
  file
- Size
  
  314KB
- MD5
  
  5cff4c33cbc6e1ccf53952ac54aef16c
- SHA1
  
  ec660378cc11724e3914b9f8faec488fc228573b
- SHA256
  
  f4b9bed143b714df0405531aa041fe29bfdecc5e10cfe97002687217fd95cc11
- SHA512
  
  4ed147624483079a6c9276603f8ea662bb89e34dbdaacce451c86090241862ac46e38f3be7dc883d6574484b28062c0d13f387051d1cd42afe78f122c0557a9a
- SSDEEP
  
  3072:Lwz0dZZ+B7uOuRpm8fOCbKyEWIcXqjyYFYaTmRLStKRxhUwEbj:Lu0byubph2qErcQHmgtKBEX
Score

10^/10

smokeloader backdoor trojan gozi laplas 1001 banker clipper isfb stealer
- Detects Smokeloader packer
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

gozilaplassmokeloader1001backdoorbankerclipperisfbstealertrojan

© 2018-2025

Terms | Privacy