gozi | 06d12abdce3168f51a9e38d712b767bbf211d71553c74b33b5c79005c771d2c6

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 12:07

Target

a65053c661862e925484ecade1c4e2fb.exe
Size

3.3MB
MD5

a65053c661862e925484ecade1c4e2fb
SHA1

ea6a29adbb18401406c321111b19a9ba6b924df8
SHA256

06d12abdce3168f51a9e38d712b767bbf211d71553c74b33b5c79005c771d2c6
SHA512

376c231c54175d65770015e3f033cb7702a7685e95df91940bb01c8ad62c4754e38ded3f81f2bee68829f5df308a2198795b37ffaebaf87ff20579a9e92163ef
SSDEEP

98304:0UtJ2Y59CRpIaY8QQTJ6a24d6Yd4S+D845wVmE8G4T2O:0cORph/Bd4r845wVmE94Tr

Score

10^/10

Family

gozi

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Deletes itself 1 IoCs

Processes:

a65053c661862e925484ecade1c4e2fb.exe

pid process

4636 a65053c661862e925484ecade1c4e2fb.exe
Executes dropped EXE 1 IoCs

Processes:

a65053c661862e925484ecade1c4e2fb.exe

pid process

4636 a65053c661862e925484ecade1c4e2fb.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a65053c661862e925484ecade1c4e2fb.exe

pid process

3032 a65053c661862e925484ecade1c4e2fb.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

a65053c661862e925484ecade1c4e2fb.exea65053c661862e925484ecade1c4e2fb.exe

pid process

3032 a65053c661862e925484ecade1c4e2fb.exe
4636 a65053c661862e925484ecade1c4e2fb.exe

pid	process
4636	a65053c661862e925484ecade1c4e2fb.exe

pid	process
4636	a65053c661862e925484ecade1c4e2fb.exe

pid	process
3032	a65053c661862e925484ecade1c4e2fb.exe

pid	process
3032	a65053c661862e925484ecade1c4e2fb.exe
4636	a65053c661862e925484ecade1c4e2fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a65053c661862e925484ecade1c4e2fb.exe

description	pid	process	target process
PID 3032 wrote to memory of 4636	3032	a65053c661862e925484ecade1c4e2fb.exe	a65053c661862e925484ecade1c4e2fb.exe
PID 3032 wrote to memory of 4636	3032	a65053c661862e925484ecade1c4e2fb.exe	a65053c661862e925484ecade1c4e2fb.exe
PID 3032 wrote to memory of 4636	3032	a65053c661862e925484ecade1c4e2fb.exe	a65053c661862e925484ecade1c4e2fb.exe

C:\Users\Admin\AppData\Local\Temp\a65053c661862e925484ecade1c4e2fb.exe
Filesize
3.3MB

MD5
1bc77634e231fe4611d39ecd9e53dac2

SHA1
13e97295dbd938e2521789b1f7df0931f04be2e2

SHA256
94b4989926ce01d5bd1c0dadbe132aea376e78f28202bdde0f96e0c211add970

SHA512
0824673094c1ccb32d9e1a6dc326c22e9d5b165b8f97736a4e8190fb821bb4ebff3a99db0c1df12ceee25def7c6ce30cd0b121f6b0b120ba4fae7377015ecca1

Download Submit
memory/3032-0-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/3032-1-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/3032-2-0x0000000001C80000-0x00000000020F7000-memory.dmp

Filesize
4.5MB

Download
memory/3032-11-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/4636-13-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/4636-15-0x0000000001E50000-0x00000000022C7000-memory.dmp

Filesize
4.5MB

Download
memory/4636-14-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/4636-20-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4636-21-0x0000000005B20000-0x0000000005D6D000-memory.dmp

Filesize
2.3MB

Download