gozi | bb5dd04ec026e2db27f98bf77a793c33cf46091cdaf876abbf1233d61e7f565a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
Size

2.7MB
MD5

1e8b6db7fe01d3c6536dc85f3a1f7f7e
SHA1

c8487e573c6eec98f8b27fd48a4fdedf83b187b0
SHA256

bb5dd04ec026e2db27f98bf77a793c33cf46091cdaf876abbf1233d61e7f565a
SHA512

31f5e23e2d5d76c4486873a7ab357b7525e6db2133b51050b531e89d3e2ca52ec50fa60c30a5b77c417a92e0ec143d076623c4d0035913d6ca298432e9e0800b
SSDEEP

49152:McwedbQ9bdwxkZAV1yOvvEc/0+BR980FLWJofqzWcBYGniqaPbKp/qG6TsPfFR9j:McwGowOjct3H8AlGniPzKp/qDAfFHj

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
2984	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2924-1-0x0000000000400000-0x00000000008E7000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-13.dat	upx
behavioral1/files/0x000a000000013a71-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
2984	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2984	2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe	28
PID 2924 wrote to memory of 2984	2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe	28
PID 2924 wrote to memory of 2984	2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe	28
PID 2924 wrote to memory of 2984	2924	1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe	28

C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
"C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
  C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Filesize
172KB

MD5
04eb3694871deebba69efcc819d0ded4

SHA1
94cf8f0e01a0eafa2f70270119531ae51f6172fc

SHA256
e8faede6a80e1858fea5c82cadb8f5afea8cdd1f024cab82eec249e0dda3b33e

SHA512
cfaa49a8fd5b8bb0c44124065242233c7f52ac29aa0be9c33f5f7180496d8912f1b729a9b54632648d27abb86957958f90657a1eb35cd2c7c391f498b5ec7ed4

Download Submit
\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe

Filesize
610KB

MD5
e0a749b700cac7dbc42cf82a1d8c13f8

SHA1
ba5caa230fa1a65fc41c276c520a15c8d93d21bd

SHA256
439b4e51987febc4d44f8920c5d00ed5437df3208324438a6b3d615ffed2e877

SHA512
100f42686c832a985be8420f5f9d73017062d802938f1a26d66ef4f220e51a6e58fda144ae03198c546415aba1f37f9b0516398808c2bd42394d55244b2822a0

Download Submit
memory/2924-1-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/2924-3-0x0000000001B10000-0x0000000001C41000-memory.dmp

Filesize
1.2MB

Download
memory/2924-0-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2924-14-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2984-16-0x0000000001B10000-0x0000000001C41000-memory.dmp

Filesize
1.2MB

Download
memory/2984-18-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/2984-15-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2984-23-0x00000000033F0000-0x0000000003612000-memory.dmp

Filesize
2.1MB

Download
memory/2984-22-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2984-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download