gozi | 16bd5b87b590469df584938e5d245721c03dd44a79fdfa0db6afff416da85aaa | Triage

Sharing

General

Target

16bd5b87b590469df584938e5d245721c03dd44a79fdfa0db6afff416da85aaa
Size

3.8MB
Sample

240503-xp6ncsgd26
MD5

0d327e9baabdb324f54c6019fa2e5a96
SHA1

31328eb947d878af2fe78b5a1a5249273b838a8b
SHA256

16bd5b87b590469df584938e5d245721c03dd44a79fdfa0db6afff416da85aaa
SHA512

f10252a0d79a2e78e53996757404bd846815334cbe521db4f40914cba8aa00086befe24cdd68ded8bdc969af3c247fbdebe5ed39a5c17696972cb1a65288c95e
SSDEEP

98304:yEjlmQbfgSgwvSnN4iVJu+0xGZ6twFquI3rFql:yEjgQPXqdEtwYf3rFql

Score

10^/10

gozi bootkit isfb persistence

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  16bd5b87b590469df584938e5d245721c03dd44a79fdfa0db6afff416da85aaa
- Size
  
  3.8MB
- MD5
  
  0d327e9baabdb324f54c6019fa2e5a96
- SHA1
  
  31328eb947d878af2fe78b5a1a5249273b838a8b
- SHA256
  
  16bd5b87b590469df584938e5d245721c03dd44a79fdfa0db6afff416da85aaa
- SHA512
  
  f10252a0d79a2e78e53996757404bd846815334cbe521db4f40914cba8aa00086befe24cdd68ded8bdc969af3c247fbdebe5ed39a5c17696972cb1a65288c95e
- SSDEEP
  
  98304:yEjlmQbfgSgwvSnN4iVJu+0xGZ6twFquI3rFql:yEjgQPXqdEtwYf3rFql
Score

7^/10

bootkit persistence
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

bootkitpersistence