gozi | 78142da8ae2bf87830295cf35b8cecdbf51e66f916d19efc8c3f6dbe251c94b9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 16:14

Target

a438c5ce8f98d7fedbfde163966a3e8d.exe
Size

5.8MB
MD5

a438c5ce8f98d7fedbfde163966a3e8d
SHA1

81dfd9be7c96a747137eb2ba99b54fc2b83682b1
SHA256

78142da8ae2bf87830295cf35b8cecdbf51e66f916d19efc8c3f6dbe251c94b9
SHA512

aea2332203096e055ebe9c3c5a114e10c3d507af673c4def64ef7568561243dba61f215aaccb671c92c396d1792ff4f4fb1d6fe7807295a4e13fdbc32484462c
SSDEEP

98304:UHnNFADCeiGQZaXhP5a9UEI+eG9jAkbkR79D+cVItGQZaXhP5a9UEI+eG:AAue8GhRaaCkN9qHGhRa

Score

10^/10

Family

gozi

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

a438c5ce8f98d7fedbfde163966a3e8d.exe

pid process

1032 a438c5ce8f98d7fedbfde163966a3e8d.exe
Executes dropped EXE 1 IoCs

Processes:

a438c5ce8f98d7fedbfde163966a3e8d.exe

pid process

1032 a438c5ce8f98d7fedbfde163966a3e8d.exe

pid	process
1032	a438c5ce8f98d7fedbfde163966a3e8d.exe

pid	process
1032	a438c5ce8f98d7fedbfde163966a3e8d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/556-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a438c5ce8f98d7fedbfde163966a3e8d.exe	upx
behavioral2/memory/1032-13-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a438c5ce8f98d7fedbfde163966a3e8d.exe

pid process

556 a438c5ce8f98d7fedbfde163966a3e8d.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

a438c5ce8f98d7fedbfde163966a3e8d.exea438c5ce8f98d7fedbfde163966a3e8d.exe

pid process

556 a438c5ce8f98d7fedbfde163966a3e8d.exe
1032 a438c5ce8f98d7fedbfde163966a3e8d.exe

pid	process
556	a438c5ce8f98d7fedbfde163966a3e8d.exe

pid	process
556	a438c5ce8f98d7fedbfde163966a3e8d.exe
1032	a438c5ce8f98d7fedbfde163966a3e8d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a438c5ce8f98d7fedbfde163966a3e8d.exe

description	pid	process	target process
PID 556 wrote to memory of 1032	556	a438c5ce8f98d7fedbfde163966a3e8d.exe	a438c5ce8f98d7fedbfde163966a3e8d.exe
PID 556 wrote to memory of 1032	556	a438c5ce8f98d7fedbfde163966a3e8d.exe	a438c5ce8f98d7fedbfde163966a3e8d.exe
PID 556 wrote to memory of 1032	556	a438c5ce8f98d7fedbfde163966a3e8d.exe	a438c5ce8f98d7fedbfde163966a3e8d.exe

C:\Users\Admin\AppData\Local\Temp\a438c5ce8f98d7fedbfde163966a3e8d.exe
Filesize
704KB

MD5
3b8b4e072370a1316918b3210cd22383

SHA1
a932cc73b77afd46e93215999fea67ed46257131

SHA256
bb4ed6f2ff85ce4cec019765d7b476313539353cef58a0ffa6d3f2175f535038

SHA512
879904bf00598d2eaa52447ed80508ddc18e44b2e63ccd16e562f3fed5f025b82d3842ecd19850589cdd97ba3bb48f697081f72782d4f174e1f028f607319184

Download Submit
memory/556-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/556-1-0x0000000001CB0000-0x0000000001DE3000-memory.dmp

Filesize
1.2MB

Download
memory/556-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/556-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1032-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1032-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download
memory/1032-13-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1032-20-0x0000000005520000-0x000000000574A000-memory.dmp

Filesize
2.2MB

Download
memory/1032-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1032-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download