gozi | 903d5a14cff6031c29be5e4e4273afc59348601a94fc5a99caeefddf2ac34cbc

Analysis

max time kernel
92s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f38c7fea478d2005453d4c271c3393f.exe
Size

5.8MB
MD5

8f38c7fea478d2005453d4c271c3393f
SHA1

a7caa3d697ebca46852f86896db4c11edc50841d
SHA256

903d5a14cff6031c29be5e4e4273afc59348601a94fc5a99caeefddf2ac34cbc
SHA512

453db1c8fc904f3217f25d93dfc4a5ea2e630cd431093542acc8f28eda0f91adcf753ca5a337fbf614af4c727cc7205889f4176929046e9bd7fc72a570996c7e
SSDEEP

98304:/zdmLfzu6ICHau42c1joCjMPkNwk6alDAqD7z3uboHau42c1joCjMPkNwk6:5mLLdDauq1jI86FA7y2auq1jI86

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
1972	8f38c7fea478d2005453d4c271c3393f.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	8f38c7fea478d2005453d4c271c3393f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/436-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x0010000000023153-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
436	8f38c7fea478d2005453d4c271c3393f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
436	8f38c7fea478d2005453d4c271c3393f.exe
1972	8f38c7fea478d2005453d4c271c3393f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1972	436	8f38c7fea478d2005453d4c271c3393f.exe	85
PID 436 wrote to memory of 1972	436	8f38c7fea478d2005453d4c271c3393f.exe	85
PID 436 wrote to memory of 1972	436	8f38c7fea478d2005453d4c271c3393f.exe	85

C:\Users\Admin\AppData\Local\Temp\8f38c7fea478d2005453d4c271c3393f.exe
"C:\Users\Admin\AppData\Local\Temp\8f38c7fea478d2005453d4c271c3393f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\8f38c7fea478d2005453d4c271c3393f.exe
  C:\Users\Admin\AppData\Local\Temp\8f38c7fea478d2005453d4c271c3393f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f38c7fea478d2005453d4c271c3393f.exe

Filesize
353KB

MD5
ed5635a853683923839c336eb0b12a0a

SHA1
9c5ac315a2b37c805064855ebf42c6314c9df73e

SHA256
90cbb40a26a01c66ce3d596a6c96b62e1c63e7f11f47108159aa25fdf3df85aa

SHA512
e317b071ce7819626cdc23f1131ae5b764f3dc4d59c8bd813bec27c472c583fa090c55a0a329d430fdbe659fdf51f30b38b4e864500c97831c96256478533249

Download Submit
memory/436-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/436-1-0x0000000001D40000-0x0000000001E73000-memory.dmp

Filesize
1.2MB

Download
memory/436-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/436-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1972-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1972-13-0x0000000001CC0000-0x0000000001DF3000-memory.dmp

Filesize
1.2MB

Download
memory/1972-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1972-20-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1972-22-0x00000000055C0000-0x00000000057EA000-memory.dmp

Filesize
2.2MB

Download
memory/1972-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download