gozi | d2b41392e12bfdf13e131ba3db02e5f21851a98df243403995b182ee15a1992c | Triage

Analysis

max time kernel
84s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 14:55

Sharing

Report Analysis Logs

General

Target

test.dll
Size

1.4MB
MD5

04c9f5abf862f834e68abf9f88e64013
SHA1

b578bae2483d4a5e0ac83aa6fcafaa3ff415468b
SHA256

d2b41392e12bfdf13e131ba3db02e5f21851a98df243403995b182ee15a1992c
SHA512

b05529f262cad69cd8bcfcd793fa644d74bf7be23423180fa418ca11428918a264ed7e615d255086e69ada85efc3b2e41719d2ce09962356b9ad0737820e7f60
SSDEEP

12288:EfJ2dpC+/doJSnFlxGIDWv5EghEug86SbJqLb47v:aUCudoJsxGIDWv5N0OELb4

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

https://merrovalt.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1964 3612 WerFault.exe regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\test.dll
1⤵
PID:3612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3612 -s 524
2⤵
- Program crash
PID:1964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3612 -ip 3612
1⤵
PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-132-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/3612-136-0x0000000002A00000-0x0000000002A13000-memory.dmp

Filesize
76KB

Download