gozi | c442edf2f963a0fa28e9525ec63904241dd78f0d1310f770f2f9a2f14b21aece | Triage

Submit
Reports

Overview

overview

Static

static

3

Downloads.zip

windows10-1703-x64

Sharing

General

Target

Downloads.zip
Size

23.1MB
Sample

231021-b3kgdseb52
MD5

c680ac48333450b51b7864d21895cc90
SHA1

92870f185c6be6b8d55a294f5de59c98061193d8
SHA256

c442edf2f963a0fa28e9525ec63904241dd78f0d1310f770f2f9a2f14b21aece
SHA512

29d5cb0edc4ce466bf8543305152e1d271d2357c00a688e48e63645742dc8c84ffd75860c809946507ed6ad5a4afa96c278e95916518574b53f6613d5ea9e250
SSDEEP

393216:wBRF+vGbfzxpO829aWD/mttgSwnN4KC3/ARTOTKUNRKLyktlwrSOR:gF66S829n/WwuoRToKU/KLT+J

Score

10^/10

gozi 1000 banker evasion isfb phishing trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Downloads.zip

Resource

win10-20231020-en

gozi 1000 banker evasion isfb phishing trojan upx

windows10-1703-x64

21 signatures

1800 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  Downloads.zip
- Size
  
  23.1MB
- MD5
  
  c680ac48333450b51b7864d21895cc90
- SHA1
  
  92870f185c6be6b8d55a294f5de59c98061193d8
- SHA256
  
  c442edf2f963a0fa28e9525ec63904241dd78f0d1310f770f2f9a2f14b21aece
- SHA512
  
  29d5cb0edc4ce466bf8543305152e1d271d2357c00a688e48e63645742dc8c84ffd75860c809946507ed6ad5a4afa96c278e95916518574b53f6613d5ea9e250
- SSDEEP
  
  393216:wBRF+vGbfzxpO829aWD/mttgSwnN4KC3/ARTOTKUNRKLyktlwrSOR:gF66S829n/WwuoRToKU/KLT+J
Score

10^/10

gozi 1000 banker evasion isfb phishing trojan upx
- Detected phishing page
  phishing
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Nirsoft
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi1000bankerevasionisfbphishingtrojanupx

© 2018-2024

Terms | Privacy