gozi | 42b6c9866c84d108f122fa06085131ae0db58842844f87e2f59908521272dde0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

42b6c9866c84d108f122fa06085131ae0db58842844f87e2f59908521272dde0
Size

3.5MB
Sample

240118-jcjq6sfgf4
MD5

1a09b04bf6a1576862b5e0de88a50452
SHA1

c17af91265d308bed0157d2139cbbde357f4836b
SHA256

42b6c9866c84d108f122fa06085131ae0db58842844f87e2f59908521272dde0
SHA512

b649937c45786e7d7e951d2c32d55ba866a40ae15306b7531fd3373796d4c27901dde7198b17bdba53c03c7b143cbf81058353441df41cfea856a50a2bc0b67a
SSDEEP

98304:YEjlmQbfgSgwvSnN4iVJur0xM/licQBqP:YEjgQPXq0/xQBqP

Score

10^/10

gozi bootkit isfb persistence

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  42b6c9866c84d108f122fa06085131ae0db58842844f87e2f59908521272dde0
- Size
  
  3.5MB
- MD5
  
  1a09b04bf6a1576862b5e0de88a50452
- SHA1
  
  c17af91265d308bed0157d2139cbbde357f4836b
- SHA256
  
  42b6c9866c84d108f122fa06085131ae0db58842844f87e2f59908521272dde0
- SHA512
  
  b649937c45786e7d7e951d2c32d55ba866a40ae15306b7531fd3373796d4c27901dde7198b17bdba53c03c7b143cbf81058353441df41cfea856a50a2bc0b67a
- SSDEEP
  
  98304:YEjlmQbfgSgwvSnN4iVJur0xM/licQBqP:YEjgQPXq0/xQBqP
Score

7^/10

bootkit persistence
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

bootkitpersistence