gozi | 842a488e7f20a2e63eb7d08eaf9b140b468f6c0286249f48b615d7af04ea608d | Triage

Submit
Reports

Overview

overview

Static

static

1

Correction...f..lnk

windows7-x64

Correction...f..lnk

windows10-2004-x64

Sharing

General

Target

842a488e7f20a2e63eb7d08eaf9b140b468f6c0286249f48b615d7af04ea608d
Size

1012KB
Sample

230213-mwa5xsca9z
MD5

9a8807cb7e86af1abecbe7f52a01162b
SHA1

861a67fe5bd9bcc790d68d649dfc087a277d0f17
SHA256

842a488e7f20a2e63eb7d08eaf9b140b468f6c0286249f48b615d7af04ea608d
SHA512

989d50986e6e09b2682cd8e9e89aaea3e732c15b708aeaca6533f04e3a5e3d301f6df0c63c472e295c2fd3810e80257cb533611e1f1e2f6df383ea3cdb8ac2f5
SSDEEP

12288:z6auVk1fMXeAY/q37378MtyetwlgNf118DOEIjxm0A6bR/XQCw2mhVzjBW:znsk1UuNc37DyeSlcfpEIt1A6KCRmhVc

Score

10^/10

gozi 1000 banker ldr4 persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

Correction_req.pdf..lnk

Resource

win7-20220812-en

gozi 1000 banker ldr4 trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

Correction_req.pdf..lnk

Resource

win10v2004-20221111-en

gozi 1000 banker ldr4 persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

https://mereter.cloud

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Targets

- Target
  
  Correction_req.pdf..lnk
- Size
  
  293.1MB
- MD5
  
  0e7de4826bd78b409a224f2f58c5843d
- SHA1
  
  553ad02ca943105fdae585fbfb682855f5edbb24
- SHA256
  
  149a0f30fdc4943e37a83a31ebad5e6f1f31901e6ad3d54c00f69c84e70c93c1
- SHA512
  
  d4c9a2b5a5f1cbd897d7a5d4acce78315cb8e359b7c9ef4490a3371ca2e28be2c92ae62861216043967f35079d2adf484df5fbebc1fec3dd811a416a5982c1e1
- SSDEEP
  
  12288:T4OjM+EEjRhWs8g4avgzxl8oFubywIYeGPuxmiR1ky9VvzkUs37CQN:T4iMREtkzg4avgzEcwbPuxRH9V77srCK
Score

10^/10

gozi 1000 banker ldr4 trojan persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi1000bankerldr4trojan

behavioral2

gozi1000bankerldr4persistencetrojan

© 2018-2024

Terms | Privacy