gozi | 73bf62c8287684b69f1965a40049dda074c4e58f3024ae4bf34fb07a5b445680 | Triage

Sharing

General

Target

73bf62c8287684b69f1965a40049dda074c4e58f3024ae4bf34fb07a5b445680
Size

3.4MB
Sample

240223-yg8cnafg98
MD5

41111f9df119ba7e3146a729b4c31f51
SHA1

54dd206920d115f23b6e3e04dc5eb3ec69b91617
SHA256

73bf62c8287684b69f1965a40049dda074c4e58f3024ae4bf34fb07a5b445680
SHA512

f731304ea6fbb87ebf0dbfef0dfb601cc6e3f5f5aea3f54008a6c7058c93e8d08ca60a4dd8bca2a2f70dba9f5a9a366787f679b140a3884c9250fe2a56da1160
SSDEEP

49152:7EjEamQb2OguN8Dfk5JEG14wv2QwnN4iTapOcaPKfjtD8cEOxeuxzS2hPV5T1gWR:7EjlmQbfgSgwvSnN4iVJuS0xJdzYUqM

Score

10^/10

gozi bootkit isfb persistence

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  73bf62c8287684b69f1965a40049dda074c4e58f3024ae4bf34fb07a5b445680
- Size
  
  3.4MB
- MD5
  
  41111f9df119ba7e3146a729b4c31f51
- SHA1
  
  54dd206920d115f23b6e3e04dc5eb3ec69b91617
- SHA256
  
  73bf62c8287684b69f1965a40049dda074c4e58f3024ae4bf34fb07a5b445680
- SHA512
  
  f731304ea6fbb87ebf0dbfef0dfb601cc6e3f5f5aea3f54008a6c7058c93e8d08ca60a4dd8bca2a2f70dba9f5a9a366787f679b140a3884c9250fe2a56da1160
- SSDEEP
  
  49152:7EjEamQb2OguN8Dfk5JEG14wv2QwnN4iTapOcaPKfjtD8cEOxeuxzS2hPV5T1gWR:7EjlmQbfgSgwvSnN4iVJuS0xJdzYUqM
Score

7^/10

bootkit persistence
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

bootkitpersistence