gozi | c1564e8a73107c41618e8f36568924dfe286f6b1a82bd4b97ad18097a9693505 | Triage

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 13:44

Sharing

Report Analysis Logs

General

Target

lame.dll
Size

187KB
MD5

600764b14a6e39961594ed8e67c3eeb6
SHA1

5b5cc61391968958236d54eb0fe7229386b58c64
SHA256

dbbd275a4b1da0b93a1ef2c5e7c75f5f020979dcc502fd1bc28b3b40cf1d255a
SHA512

a7636a755d816f386ec650648f96ab4c55ddd05bd607ca59868e66af079e0e9b829947d407e17bd68c1208d6ae7f985f602388270289cab9ba26d253f2f38c18
SSDEEP

3072:Q4+YN4lPeFpVa5f8gy5q86UIQz+GypacRLu1O+TvTIGapG4S+1prXFnK:cCQ7y5qzzJpVRLu1fcjDV9K

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

https://vertalis.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4496 2428 WerFault.exe regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\lame.dll
1⤵
PID:2428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2428 -s 436
2⤵
- Program crash
PID:4496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2428 -ip 2428
1⤵
PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-133-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/2428-138-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2428-137-0x00000000027B0000-0x00000000027C3000-memory.dmp

Filesize
76KB

Download
memory/2428-143-0x00000000625C0000-0x00000000625F5000-memory.dmp

Filesize
212KB

Download