gozi

Sharing

Copy URL

Twitter E-mail

General

Target

553752231804010536.rar
Size

2.2MB
Sample

230707-jbq4vsgh5s
MD5

8c919c4c93a6d1b7afc77cf6d851c4cb
SHA1

a67d0d4df0a6bfb04e2d3410ce998db52faca0c7
SHA256

d75ecbed0a0bfea3a71dde0aed0958e5d98e2890d520532a09a4e5321d7d680a
SHA512

29798f2d41b505c13cd9b232efed93ecc8dcf6eaccd0022b2ed67eea5bdf1dfcdab37acdc18b9f1cf4f2095734d1e3e645541c58002baabfb3fa368b49360812
SSDEEP

49152:h/LWoL80/5jsLbi6YFDZ0emIev4YujFxWMRm1CKmzQv8xbgF:h/LWoL1hUbivYe1ZYaxWMw1JmzQvss

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  d44580ffdb610f1e16bb1aa1-1671885c0c25bc69333368a6-cd55441bbeb4517f30766c0e80428782.exe
- Size
  
  667KB
- MD5
  
  228528e1171885f06cc5229916db396a
- SHA1
  
  8abb08cbdd58d1764330e2e3f97ae9bacea37fe6
- SHA256
  
  bb80edc51af9d03fbcd338464d5fa5125b0a793e26775f9227bceda47c824bfc
- SHA512
  
  c0b5c2b3ccfd2b1078c4edbcf62dde1edeb8bb7b663759825d6035565dfb5d226180b067570e4fe10bfa44347777501d4ccdab9b9e98f4b84d6539923a123c47
- SSDEEP
  
  12288:NqYAuKNceB6vtYbze0/nfLpbrTmtpdqEhXzGIsMW5Amw0Ya74e+JClNj:UYAUeZj/nfLpbnmjdPzhsMW5AmRx8bJI
Score

10^/10

gozi 1000 banker discovery isfb persistence phishing spyware stealer trojan upx
- Detected phishing page
  phishing
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Nirsoft
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  dpp.dll
- Size
  
  1.9MB
- MD5
  
  692026ff118997f30b9c314df54bce25
- SHA1
  
  a09c770f410ad4df8e78c6d0723f70521cfb63f1
- SHA256
  
  75c5725344092eb7a9f0c2c74c85a98f73d7d4c8201a677b206c35655c2e33d8
- SHA512
  
  60d5b1b29e19150636a0b7c593e95bac2bc42c0cc2dd6335cc45794f64fc5f64044f64365a9ef742616ffc025e121f2455425808a44add02bb28173394b87e36
- SSDEEP
  
  24576:myAuvuKXRiZAhSso8JceUkeo4YUPyGdT0QP5YYM5RaIz7pMqijwG0Vzcd00:myvXawC6UkZ4YUtzPSYES0Vzcd00
Score

5^/10
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  libcrypto-1_1.dll
- Size
  
  2.5MB
- MD5
  
  31643a6540ba24cf98a97cef42634048
- SHA1
  
  0206d691eaa40885713327c11e000cb771a21703
- SHA256
  
  e36557189986f864b35c4f3d66b3356ce242c73217ec9ec5c3d66453c480633f
- SHA512
  
  5f5c74fecacb723126ff099ad7303af500b5125ecef2966fb3104d3668d07e836266680a7628a63a5a26200f6139bed77e7f5c7533a9934cb81be9857800de41
- SSDEEP
  
  49152:cmjrvGvz67Ltvwm98Iq1CPwDv3uFfJIfAE3C:cmjbXLim98b1CPwDv3uFfJ
Score

3^/10
behavioral5 behavioral6
- Target
  
  libsodium.dll
- Size
  
  329KB
- MD5
  
  be8a4636d7dd224ef4774065189ce7ff
- SHA1
  
  6aadb8d601333a3136647cb8a96480e277798d9e
- SHA256
  
  84fa23e1bd52d64265d6eb31b72fb40bb539856110633a6e0583003290e5f61a
- SHA512
  
  2fe3b94f473f81e6e8834455789d9401dcd4650b66a24a57d9f923ca9487e3cccbaf9caeb9033ef63bbb287a4c41776587776b2acf3281fa99d7f285d0bf27a9
- SSDEEP
  
  6144:A3i+tJnFTK1+EGqOX9lHy7e460QmXV50DErDbvt:l+tZqO3460QmwD6b
Score

1^/10
behavioral7 behavioral8
- Target
  
  libssl-1_1.dll
- Size
  
  523KB
- MD5
  
  46c50a365a8a11627137ad52e4ab2f94
- SHA1
  
  6d02dc794a756c077233f074bd85c4b8241c24df
- SHA256
  
  187b33ab7a95d4722ff7dc6e2a0e6f121f68fd034b708a946b76748ec2a39b83
- SHA512
  
  3e2bdb912e77c249950d3dac3d3937d716e982fa9dfa3aeb48760219e53e99e70292294cc80992095bb18ee62329aac69c253dea2ae6037c9e80e1500a32b1c0
- SSDEEP
  
  12288:gypyeH2O8Dkmb4yjpesKWjy/MMk+cdU2lvzAE:lceHp5PIQMT+aU2lvzAE
Score

1^/10
behavioral10 behavioral9
- Target
  
  opus.dll
- Size
  
  307KB
- MD5
  
  a4c7c50ebed6a72ead1baa4cb3057c81
- SHA1
  
  21ae7d92ce5f6684c2bb091a780830fb7e2263c0
- SHA256
  
  0d518b2def8d3e2d6a1d221ddc6d66a338ab1ba6068461d1cf5f3b7d39c97793
- SHA512
  
  1d679f5d0805907ada13a79b5d673ff1262334fbed6bdda2812a4c183aea7dd1d775f847048d5c5d06aa920b76936b61ad7426e77502807935a93ec953e03071
- SSDEEP
  
  6144:TqrbR0re3Pr2VvnErmo03zglw+VH2jNAZ2EG7cjplyDjCa/ZLBvBm8v:WrN0re3T2VvECoeV+J822EPyDjCa/x
Score

1^/10
behavioral11 behavioral12
- Target
  
  zlib1.dll
- Size
  
  73KB
- MD5
  
  05bf83777d5b6c7bf74a512f51f34a7b
- SHA1
  
  5c177218220a9c1df6eff2fc46bf3dd512986222
- SHA256
  
  0d2a785476bf5ab1906f4738e92df18a2c438e27225c1c1cac9afe77417c0b46
- SHA512
  
  0249ac76f843b3d46120da665ebe3b361f120477997f3809b88188d1afeffa2a789f5a990930441f54729d1e806c2ce005893ac77a88dd87d302e2ee49eba941
- SSDEEP
  
  1536:iD5gPaCVRn77BGHXrfD0zelgdRH/KNn6BnToIfhIOsIOEmhfgh:Q59+R7t+szelgdRfKNcTBfLiEmhfgh
Score

3^/10
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Network Service Scanning

T1046

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detected phishing page

Nirsoft

Creates new service(s)

Downloads MZ/PE file

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Registers COM server for autorun

UPX packed file

Checks installed software on the system

Creates a large amount of network flows

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14