gozi | 9f1b5b5cdc5446f249d1a16c81fd4aecc1d9ac4c7c9e8ce286d452376e2feb69

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5681e74c6746db55e759d64114815ed.exe
Size

5.8MB
MD5

a5681e74c6746db55e759d64114815ed
SHA1

befe608f249a1e5fb494e07d4ddcdffa5cb159f8
SHA256

9f1b5b5cdc5446f249d1a16c81fd4aecc1d9ac4c7c9e8ce286d452376e2feb69
SHA512

59f400f5d1dbee04710714274873dbf2d9cc2ac1ca3380381ef3ba4ccc8e07dfb66b3595d85011808d39d443273ea1b0c9f9b7f72dc2c0328c7285fe00c61111
SSDEEP

98304:WN06zlJuHau42c1joCjMPkNwk6K3l/fBbbM3MLXn6XHau42c1joCjMPkNwk6:Wblqauq1jI86ADnx0auq1jI86

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exe

pid process

2656 a5681e74c6746db55e759d64114815ed.exe
Executes dropped EXE 1 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exe

pid process

2656 a5681e74c6746db55e759d64114815ed.exe
Loads dropped DLL 1 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exe

pid process

2180 a5681e74c6746db55e759d64114815ed.exe

pid	process
2656	a5681e74c6746db55e759d64114815ed.exe

pid	process
2656	a5681e74c6746db55e759d64114815ed.exe

pid	process
2180	a5681e74c6746db55e759d64114815ed.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe	upx
behavioral1/memory/2656-16-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe	upx

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exe

pid process

2180 a5681e74c6746db55e759d64114815ed.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exea5681e74c6746db55e759d64114815ed.exe

pid process

2180 a5681e74c6746db55e759d64114815ed.exe
2656 a5681e74c6746db55e759d64114815ed.exe

pid	process
2180	a5681e74c6746db55e759d64114815ed.exe

pid	process
2180	a5681e74c6746db55e759d64114815ed.exe
2656	a5681e74c6746db55e759d64114815ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a5681e74c6746db55e759d64114815ed.exe

description	pid	process	target process
PID 2180 wrote to memory of 2656	2180	a5681e74c6746db55e759d64114815ed.exe	a5681e74c6746db55e759d64114815ed.exe
PID 2180 wrote to memory of 2656	2180	a5681e74c6746db55e759d64114815ed.exe	a5681e74c6746db55e759d64114815ed.exe
PID 2180 wrote to memory of 2656	2180	a5681e74c6746db55e759d64114815ed.exe	a5681e74c6746db55e759d64114815ed.exe
PID 2180 wrote to memory of 2656	2180	a5681e74c6746db55e759d64114815ed.exe	a5681e74c6746db55e759d64114815ed.exe

C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe
"C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe
C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe
Filesize
2.4MB

MD5
5c87db38421f708b8eb385f8e112f554

SHA1
e0064c2d2069fb4c412d2cb41f2cfc83b12442fa

SHA256
ada42c0f76735ff4d638badadc5f6d3826366700d2b01975a06108982240cfaa

SHA512
aebbdefa8419f2f3e8f7b2817f0ca77bb0418c3665d09b192fbd2c7ede52e2bd225c58d066a48d04c2bdf31092c806b4aa400cad4eb0bba93a28a591849d55ac

Download Submit
\Users\Admin\AppData\Local\Temp\a5681e74c6746db55e759d64114815ed.exe
Filesize
5.8MB

MD5
6694c64cb9ce919b07703fec8ebbfcdd

SHA1
986b3e728cbe5156ab3fbb8cc2979deea51a58ee

SHA256
a34d0058f367a71536fb36929d413558a339738c3bbda73f0dcbaeb22564e822

SHA512
512fcc2299c4d4eef55c46f7360ccf1f5eae1e6b4f8c1b9671aa3093827f71d9cc3e7592d4d64d2f5608b033263ac200afbc899dd1506ec5dc5db4d03b14a980

Download Submit
memory/2180-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2180-3-0x0000000000290000-0x00000000003C3000-memory.dmp

Filesize
1.2MB

Download
memory/2180-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2180-15-0x0000000003EE0000-0x00000000043CF000-memory.dmp

Filesize
4.9MB

Download
memory/2180-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2180-31-0x0000000003EE0000-0x00000000043CF000-memory.dmp

Filesize
4.9MB

Download
memory/2656-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2656-18-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2656-25-0x0000000003410000-0x000000000363A000-memory.dmp

Filesize
2.2MB

Download
memory/2656-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2656-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/2656-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download