gozi | cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f | Triage

Sharing

General

Target

Agenzia_Entrate.zip
Size

7.6MB
Sample

230302-pxcfgscf2y
MD5

6ceaad476cacd69b31f3ff6181662ada
SHA1

f0fec57b42ed700d0ef123152c8b71369df57d72
SHA256

cfe6b53554aaf19a2adf3a64ac5133705d6529396de72a80f88a9446ed5ccc6f
SHA512

eeb64cffd50b7124059d9d7c3dc07f9c65d16f73147ea4a5b477204d9fe7ce2761eec11e1dc7923a5e033be9b21c56d4b43ea36c7265a892ac88e230321fafdd
SSDEEP

196608:xdU6C3K4ZTDbvQMVMdkY6kvtCNTK8v/XbvQMVMdkY6kLjN8:ZCfVvQMVV66bzvQMVVEjN8

Score

10^/10

gozi 7709 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7709

C2

checklist.skype.com

62.173.141.252

31.41.44.33

109.248.11.112

Attributes

base_path
/drew/
build
250255
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Agenzia_Entrate/Informazione_Azienda.exe
- Size
  
  716.5MB
- MD5
  
  6b2289e478ba947fcdf3162d7dfcc866
- SHA1
  
  6ddee30e77c993cc3c7bd7448115b0910ac35f02
- SHA256
  
  360662fe225833af7db84c550f8fb9f7afe7333a9b0e2ca436c9c242d9a87975
- SHA512
  
  b1334513bd3febd6e2408404fd63d3f59ed6261f28d045686b21ef7f71f9952affef9a72021f7a541fb6b689016c3344c8907a98dd7ce4d1ed9f32ca43f8aebe
- SSDEEP
  
  24576:HJqQKnVYxHs6MxrRcnWOVY1st7Xm1KoY9x:QVYNs6yRc6stKR+
Score

10^/10

gozi 7709 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Agenzia_Entrate/report/drivers/DMWmiBridgeProv.dll
- Size
  
  4.2MB
- MD5
  
  e246609fb36a7acf63392533e48c285e
- SHA1
  
  99dea381d15b2af7e68cfed5f9d75c33c8be8a12
- SHA256
  
  ef7da20805406961052d0146cec2c7f1b5ba4db17a114e15a237f33e5768e7cb
- SHA512
  
  e29279134cf4b81fde4bdba36c484d839eff3a2a7ca191d004e984e847488441b97b4830d3198149f26d54e3d1bf9e3cf4e29d58008e0c3b1876c057463cd6a5
- SSDEEP
  
  49152:aRA/BFSzrERnqG8eHH5UmdSqr2KjUQqTjU/4xFcGw:aRQDUSr2q6Fx
Score

1^/10
behavioral3 behavioral4
- Target
  
  Agenzia_Entrate/report/drivers/XblAuthManager.dll
- Size
  
  1.0MB
- MD5
  
  b62c41e672194a919028786e4a480541
- SHA1
  
  1126775fa1ca75a7eb31d45fe084439d6b062d78
- SHA256
  
  1a5dce5775cd0a511f0edcb23669525590f0f94455c567ddb76dd15c8f25d347
- SHA512
  
  629fadbd1b8f1d0a39b99cdca2b51bce242a7e5973ad29dbd1ac216b76a7ff8ddbf439346ad9b84d3c98fbd98d3907bbb73db28b2199f6ccbdb97d4407a80173
- SSDEEP
  
  24576:T9sMfLNd1RBnhk5OL07WdvHiLmM2cyFGY:T9sMBd1RZhkodvHiLmM2cy1
Score

1^/10
behavioral5 behavioral6
- Target
  
  Agenzia_Entrate/report/drivers/mfcsubs.dll
- Size
  
  36KB
- MD5
  
  817f94733db9bcea6bcd4fd81296f82b
- SHA1
  
  ef61fbe7e7cee4642dc695b45cdf5b6b40ed6f23
- SHA256
  
  bb4f7ea087bec11099be250a0eb4dbaffe6485c60303cebea179a5c602fb061b
- SHA512
  
  e8287c634860a3b434f69b4da49a67c00d7fa4488e1e3706e5932e76042f783db78ff6228272a6de5a49048531a69aaa7343d4d2b55e57c5472b7b3ccd3532a8
- SSDEEP
  
  768:ZObYehNicpfJ1T5D4R6KRq+erJARce+CLj5YnWGRYJA2x:2hNd1Tk607er+Lj5YnWGkA2x
Score

3^/10
behavioral7 behavioral8
- Target
  
  Agenzia_Entrate/report/drivers/wxmsw30u_core_gcc_custom.dll
- Size
  
  3.9MB
- MD5
  
  96dc90661d7cce32c07ac48b5cad827a
- SHA1
  
  85c524c1f50918c031d4c89062585e631326b03e
- SHA256
  
  0e2b3d07a2a1566ebc88c62f5686b7442ab080748aaf3724a79905cec7ce2710
- SHA512
  
  4ae1657afd2de15fdc9c89746f6e65e1d8a3a2b1d5e5e85147a87fea5af65172960a28d5c6b6e11c48d9bdf630f9425681a8bef1acd494ee72b82b34bd89dcc1
- SSDEEP
  
  49152:HhKUOpZBGzuCxBjtPIUv2Ab3mktJGH7C7GH+a5O+lhDhV15JJrTfl+ii4efIYz2O:HOElxPbvN1wHVI
Score

1^/10
behavioral10 behavioral9
- Target
  
  Agenzia_Entrate/report/tran/app/drivers/AppManMigrationPlugin.dll
- Size
  
  1.2MB
- MD5
  
  3e4ead79d46b37df5ea8304d0ac81203
- SHA1
  
  9a4a8025a436e2195d8e4a2e6a3b8fd38803df60
- SHA256
  
  a3fcb57f0246a47954d295a93238b9030ecbc8b4629171d1970d3a1a7e116c6c
- SHA512
  
  d364b6f14d18e02ae5f4121eba5a23f5125b8bda1796a952b299e0b714975e5e3c9382ecde53fe5c3071659b4dde5836b9eb8cef725e5c26b1b83c45792281db
- SSDEEP
  
  24576:lBQ7WkYroJl3Gr4BHinn5tc6WncxnPzey+IzpkMWfnTtpkODim+:l5km2RG8BHi58kODi1
Score

7^/10

persistence
- Registers COM server for autorun
  persistence
behavioral11 behavioral12
- Target
  
  Agenzia_Entrate/report/tran/app/drivers/cimwin32.dll
- Size
  
  2.0MB
- MD5
  
  0afa87ff5ad4a8c03d85e3b4b02bbc26
- SHA1
  
  ee7d092df5afcd830ca3bcd647f920ffb2e76ba8
- SHA256
  
  d644b180964e94c4764a08e0dbf85128b5ffb11c13e239892d0fd08ec450c9fd
- SHA512
  
  b537420d25b803461af57566617d00f6ba8e8fb4d70c4468301b2fc27d27e0690a79c20f85ed68bf2dd5c69d572479d89a3bee33e72d5d1e6a1b58c0f3e10ed6
- SSDEEP
  
  49152:EfuNZX7xELbQZrdFqAkAFchIvwlqRUD2/0Q+sF:lAbQ1qA3chIvwl9O0
Score

7^/10

persistence
- Registers COM server for autorun
  persistence
behavioral13 behavioral14
- Target
  
  Agenzia_Entrate/report/tran/app/en/audit.exe.mui
- Size
  
  4KB
- MD5
  
  7b24d9094c5e280339308c3c07f590c4
- SHA1
  
  a8fce59c852653f646eefaddaf4326a60d0aec2c
- SHA256
  
  fefb48f24b49a3d53c05cd995857d9305d70e91f3c14661fe24ebe3b5f1b8d3f
- SHA512
  
  c970686c4d0d522ad0a8515dd6ebe7386273d8dd83f42dfb6247158081b9871ecb2ffbda5c31f769e89a8495d73179cae77249b7b07d1aae1de931c49e7ab6ba
Score

1^/10
behavioral15 behavioral16
- Target
  
  Agenzia_Entrate/report/tran/app/en/libpng16-16.dll
- Size
  
  235KB
- MD5
  
  7e82a150c75c5b30dc82d35af29b8387
- SHA1
  
  a1ae139ded212b014f92173a6b3cdf91d931eeb6
- SHA256
  
  d7d9d3f584067414f4196b5ff1ee9aff2eafbf3a686340ae18e5dc9ea7c1aaef
- SHA512
  
  7171a1086bc8c746fc2102902fdff7247288cb2d08861abb85ef5bbca47169cd923acf7707f09aa091d283868388641cecc67547ecc776e6f4d897e1ac44ac4c
- SSDEEP
  
  6144:8nClFOtV9yvLwdZRLFfn4lShPNEoDHHpwpFLhKNe:8BVQgRLFfPh1E+HpeKw
Score

1^/10
behavioral17 behavioral18
- Target
  
  Agenzia_Entrate/report/tran/app/short/Xaml.Controls.Tabs.dll
- Size
  
  1.6MB
- MD5
  
  fc64906f12cad3266c738f02f5674056
- SHA1
  
  df2316d13a56ba7b93c448d0ca3ddfba75f63287
- SHA256
  
  df2a64f41527e99678f127c325e1d1e39599008cb11eb2f39f371211035d979e
- SHA512
  
  9c10507f6b132695581b13d28536f9008213dfe5f59cdd8e3eeab15a4ae7c09a0f5c4be62098dc7b0e6e19847c03ef837c5011487497b491330696a5659e4ef9
- SSDEEP
  
  49152:xaE1ostNVjl5EsBioFTvhlUiXww7PXCpTIULJ0a:LzXCqE
Score

1^/10
behavioral19 behavioral20
- Target
  
  Agenzia_Entrate/report/tran/app/short/wxmsw30u_core_gcc_custom.dll
- Size
  
  3.9MB
- MD5
  
  96dc90661d7cce32c07ac48b5cad827a
- SHA1
  
  85c524c1f50918c031d4c89062585e631326b03e
- SHA256
  
  0e2b3d07a2a1566ebc88c62f5686b7442ab080748aaf3724a79905cec7ce2710
- SHA512
  
  4ae1657afd2de15fdc9c89746f6e65e1d8a3a2b1d5e5e85147a87fea5af65172960a28d5c6b6e11c48d9bdf630f9425681a8bef1acd494ee72b82b34bd89dcc1
- SSDEEP
  
  49152:HhKUOpZBGzuCxBjtPIUv2Ab3mktJGH7C7GH+a5O+lhDhV15JJrTfl+ii4efIYz2O:HOElxPbvN1wHVI
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi7709bankerisfbpersistencetrojan

behavioral2

gozi7709bankerisfbpersistencetrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22