gozi | 45bbc1888cb27463adf280d312fc932fa784877f4592a8b81517ca431a00ccca

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d22640d9cbdc1052d109f6442feabf8.exe
Size

9.6MB
MD5

4d22640d9cbdc1052d109f6442feabf8
SHA1

6e4be4d380dfa2f043f09505971ebe5a7773051c
SHA256

45bbc1888cb27463adf280d312fc932fa784877f4592a8b81517ca431a00ccca
SHA512

3107453c6b7f61355a851373d4351d799d046cb3c9014b6e0a16e00cec4f5235152c88574a49cd9b54e047c01a2580e9e96871e33df46bb622dcdae278075788
SSDEEP

196608:67B4Ngl/iBBB1hm1Wgl/iBZMkgl/iBBB1hm1Wgl/iBP:IB42i3vmI2iZR2i3vmI2iP

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
3248	4d22640d9cbdc1052d109f6442feabf8.exe

Executes dropped EXE 1 IoCs

pid	Process
3248	4d22640d9cbdc1052d109f6442feabf8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/468-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x000700000002313a-11.dat	upx
behavioral2/memory/3248-13-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
468	4d22640d9cbdc1052d109f6442feabf8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
468	4d22640d9cbdc1052d109f6442feabf8.exe
3248	4d22640d9cbdc1052d109f6442feabf8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3248	468	4d22640d9cbdc1052d109f6442feabf8.exe	93
PID 468 wrote to memory of 3248	468	4d22640d9cbdc1052d109f6442feabf8.exe	93
PID 468 wrote to memory of 3248	468	4d22640d9cbdc1052d109f6442feabf8.exe	93

C:\Users\Admin\AppData\Local\Temp\4d22640d9cbdc1052d109f6442feabf8.exe
"C:\Users\Admin\AppData\Local\Temp\4d22640d9cbdc1052d109f6442feabf8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\4d22640d9cbdc1052d109f6442feabf8.exe
  C:\Users\Admin\AppData\Local\Temp\4d22640d9cbdc1052d109f6442feabf8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d22640d9cbdc1052d109f6442feabf8.exe

Filesize
9.6MB

MD5
dcf75f421bce2399b6a7a93d5f816e27

SHA1
b28f0947adffa11747337f5e1ce32f870878725b

SHA256
422eb814da05aa0b5c506fb434830c8254b7c3b9e2af1d6c29475292f9c47da8

SHA512
2d526ed296bc1570b5193b122efdea5d82fd2f9e50c4495027fbde7fe9ea256bdcf9070d918c8d0771aa26e9c9b11bd3238997f1fc4e77fbb644743a51d5a4e4

Download Submit
memory/468-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/468-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download
memory/468-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/468-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3248-13-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/3248-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/3248-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download
memory/3248-20-0x0000000005620000-0x000000000584A000-memory.dmp

Filesize
2.2MB

Download
memory/3248-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3248-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download