gozi | eccded5bae97d375cb00523238d3d688df33fe1fccdcd9e1af0973f2fdd3f6fa

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

960fa5935476e6fce5542912c57e4301.exe
Size

2.7MB
MD5

960fa5935476e6fce5542912c57e4301
SHA1

0b89040eb4d77d39c6554ccca7eb7d574b5aae94
SHA256

eccded5bae97d375cb00523238d3d688df33fe1fccdcd9e1af0973f2fdd3f6fa
SHA512

d240c001b9c7e533b4616f032064cffc38121dfb60bbfab49a5e3686114e39237250a7f1fd65c75a9aed1f3731a19cae0d74397a5f9225b31bd451362b32503e
SSDEEP

49152:OpOOJSFqB4nx9cdUBw7WEvIN3ztG/H4/jnOYplIQLnBw:tOJSFqB4x9djeINhCgnO6V

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Deletes itself 1 IoCs

pid	Process
3008	960fa5935476e6fce5542912c57e4301.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	960fa5935476e6fce5542912c57e4301.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	960fa5935476e6fce5542912c57e4301.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-0-0x0000000000400000-0x000000000086A000-memory.dmp	upx
behavioral1/files/0x000c0000000122c4-11.dat	upx
behavioral1/files/0x000c0000000122c4-13.dat	upx
behavioral1/files/0x000c0000000122c4-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2972	960fa5935476e6fce5542912c57e4301.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2972	960fa5935476e6fce5542912c57e4301.exe
3008	960fa5935476e6fce5542912c57e4301.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3008	2972	960fa5935476e6fce5542912c57e4301.exe	16
PID 2972 wrote to memory of 3008	2972	960fa5935476e6fce5542912c57e4301.exe	16
PID 2972 wrote to memory of 3008	2972	960fa5935476e6fce5542912c57e4301.exe	16
PID 2972 wrote to memory of 3008	2972	960fa5935476e6fce5542912c57e4301.exe	16

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3008

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

Filesize
463KB

MD5
1733bff9d0634f1063fe87495d8fce18

SHA1
272d173649dcfe190b619bc6bfedbb006651e160

SHA256
46a9cc13c2b1c61a30999919072f0540b881b30800391f9652e20b774424ce88

SHA512
f8d587abf4f7592d7a0aa123c575baf3935311f0406fea65b4bfa4049d424beee7a2fd6beb96352e57d4e99a7bde58f1c96499cff54d7f439b2aee234b0a6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

Filesize
422KB

MD5
3326c51f102158ae50fab09194f2bcd4

SHA1
d97d96ed04563cce1b7459abf3fadfd2349e096d

SHA256
63ed041fd56a5ef2bdfc99a857e6c50fe6fb8ab0c002d2bb810fb86d362258c3

SHA512
3f9d35cacdc32201c686650f4dbd05cc6127f5f4eb889a57433f55395d12a6d6b95c0ed3ea8fb8362690bc9a2b05167e4f153a76b7d85a0ffdf36db9cb2ada56

Download Submit
\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

Filesize
425KB

MD5
efb096fceb426b856fbd1cc75281d763

SHA1
7bc3c372f7915575fe962249beac66ef00fba897

SHA256
d7c6351d6511a78f11eee86465ac4f5a8b0acb3c34190dd37f4097f0f90e5033

SHA512
6a66124841ff3790f75ad97326ae2a4cd8f525176877e45a90b54bbb4b99f60ffb629ae844cbacb9ef713f9239afbfd1978ab9f661d1924c0b25465a40aeaae5

Download Submit
memory/2972-0-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/2972-2-0x0000000001A60000-0x0000000001B72000-memory.dmp

Filesize
1.1MB

Download
memory/2972-15-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/2972-1-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/3008-17-0x0000000000270000-0x0000000000382000-memory.dmp

Filesize
1.1MB

Download
memory/3008-19-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/3008-16-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/3008-25-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download