gozi | d5bf1d1238bcd9141ead1a17ad06825efe9cf24fdf7ee7c2e35e90ce45b6d065

Analysis

max time kernel
145s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af0345135b9c15bbaa83bbb899f1aa6.exe
Size

2.9MB
MD5

4af0345135b9c15bbaa83bbb899f1aa6
SHA1

16979365303a22fa6f57e17f6e5d201a07d011e7
SHA256

d5bf1d1238bcd9141ead1a17ad06825efe9cf24fdf7ee7c2e35e90ce45b6d065
SHA512

f68bdb408f72e77d2836faddea0368cae3fb8d461eb66a6200243d5ceb90cd65d3e8bc84072286b3433985cec0539cc2c5713b1a31697de5187a7f2573c3a4b5
SSDEEP

49152:C9afAFQ2AgWHek3joDBtJP0N74NH5HUyNRcUsCVOzetdZJ:CB+2uHeEolti4HBUCczzM3

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
2368	4af0345135b9c15bbaa83bbb899f1aa6.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	4af0345135b9c15bbaa83bbb899f1aa6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2368-14-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x000600000001e5df-11.dat	upx
behavioral2/memory/388-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
388	4af0345135b9c15bbaa83bbb899f1aa6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
388	4af0345135b9c15bbaa83bbb899f1aa6.exe
2368	4af0345135b9c15bbaa83bbb899f1aa6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2368	388	4af0345135b9c15bbaa83bbb899f1aa6.exe	19
PID 388 wrote to memory of 2368	388	4af0345135b9c15bbaa83bbb899f1aa6.exe	19
PID 388 wrote to memory of 2368	388	4af0345135b9c15bbaa83bbb899f1aa6.exe	19

C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
"C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
  C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe

Filesize
61KB

MD5
2032b4cbee42f8cb18d53089832fa9a0

SHA1
34a8edd8b0d7e7cea21663db143ecec5603e30ca

SHA256
254107f19bf4cf5bb75e816ead8b1492155db185ffcbe9a9969d89be0092f34f

SHA512
cb42819220fb35ed50040e0147b9f9357d314e60b2c239c970447b2085b0fee45344fb6d24a85e3609813647f589e27bc0ec92cb151e4b87c5085c2f1c584679

Download Submit
memory/388-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/388-1-0x0000000001D80000-0x0000000001EB3000-memory.dmp

Filesize
1.2MB

Download
memory/388-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/388-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2368-16-0x0000000001D00000-0x0000000001E33000-memory.dmp

Filesize
1.2MB

Download
memory/2368-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2368-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2368-20-0x0000000005600000-0x000000000582A000-memory.dmp

Filesize
2.2MB

Download
memory/2368-14-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2368-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download