gozi | ad6a6869f647cee0494e8c94ecbc33b89cb23ed7bda3281364d3c166ee63a042

Analysis

max time kernel
136s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ccaa25820a91a547530e78ed34c711a.exe
Size

5.8MB
MD5

7ccaa25820a91a547530e78ed34c711a
SHA1

80caa875cae77ff6101c2c6d81e3e8ccfa44a2ad
SHA256

ad6a6869f647cee0494e8c94ecbc33b89cb23ed7bda3281364d3c166ee63a042
SHA512

223ffc79d51f513ce8d99cbe3f71601cb7687307d0e34fa9167288b0067f3391d24ea577070d89e7b0eb05ac6adde653d1b61df050316376eddf07ccec1006eb
SSDEEP

98304:Le2emGcPBMOgg3gnl/IVUs1jePsgi2OwLUl5PHNCqQmRgg3gnl/IVUs1jePs:y2emX53gl/iBiPQiLUDPH4/mHgl/iBiP

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
4572	7ccaa25820a91a547530e78ed34c711a.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	7ccaa25820a91a547530e78ed34c711a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x0007000000023127-11.dat	upx
behavioral2/memory/4572-13-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4944	7ccaa25820a91a547530e78ed34c711a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4944	7ccaa25820a91a547530e78ed34c711a.exe
4572	7ccaa25820a91a547530e78ed34c711a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4572	4944	7ccaa25820a91a547530e78ed34c711a.exe	88
PID 4944 wrote to memory of 4572	4944	7ccaa25820a91a547530e78ed34c711a.exe	88
PID 4944 wrote to memory of 4572	4944	7ccaa25820a91a547530e78ed34c711a.exe	88

C:\Users\Admin\AppData\Local\Temp\7ccaa25820a91a547530e78ed34c711a.exe
"C:\Users\Admin\AppData\Local\Temp\7ccaa25820a91a547530e78ed34c711a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\7ccaa25820a91a547530e78ed34c711a.exe
  C:\Users\Admin\AppData\Local\Temp\7ccaa25820a91a547530e78ed34c711a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ccaa25820a91a547530e78ed34c711a.exe

Filesize
5.4MB

MD5
546ba14ac7ce107095403ba456afa230

SHA1
756d85467886d9f0acc3c7d734475dafd1fcb3b3

SHA256
bed08e85bde57248aca49b81b823ae8c714972b68dd3afd2a5fcd2f7b381ffa2

SHA512
ff008d12bbffdac4136396e2988f32ea8c88edbf32724342ad46451beb5ff3f0808e3657fa7eea896db7c483795d2fe2407a0f09b4d996374a48bb3336bbdeba

Download Submit
memory/4572-13-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4572-15-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4572-14-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download
memory/4572-20-0x00000000056C0000-0x00000000058EA000-memory.dmp

Filesize
2.2MB

Download
memory/4572-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4572-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4944-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/4944-1-0x0000000001DC0000-0x0000000001EF3000-memory.dmp

Filesize
1.2MB

Download
memory/4944-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4944-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download