gozi | cf856ce872e433e45d452eadb15b03a8140285b7c9bca71a729bf060a59594be | Triage

Sharing

General

Target

f3ef1b392c5ce94848224719f01ba520_NEAS.exe
Size

245KB
Sample

240506-wq7rdagb94
MD5

f3ef1b392c5ce94848224719f01ba520
SHA1

3641439fe9a5e4089c013648b0be543bff320cc4
SHA256

cf856ce872e433e45d452eadb15b03a8140285b7c9bca71a729bf060a59594be
SHA512

b710980b2b8b5c35b06ca53156fe63dec64df6a32c19373f7e11dc21e217c84dd9f165f3ddcf1b871004e9ac82b9ab873f368f286c1ec3a7a96f24a8e251746b
SSDEEP

1536:ppNHxITk6KB7BFw/bPQqDiXqQbX6u8xNxKy7YYJUV8u7OLN/4cXeXvubKrFEwMEj:hDO0y7YYJUj7cNwago+bAr+Qka

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  f3ef1b392c5ce94848224719f01ba520_NEAS.exe
- Size
  
  245KB
- MD5
  
  f3ef1b392c5ce94848224719f01ba520
- SHA1
  
  3641439fe9a5e4089c013648b0be543bff320cc4
- SHA256
  
  cf856ce872e433e45d452eadb15b03a8140285b7c9bca71a729bf060a59594be
- SHA512
  
  b710980b2b8b5c35b06ca53156fe63dec64df6a32c19373f7e11dc21e217c84dd9f165f3ddcf1b871004e9ac82b9ab873f368f286c1ec3a7a96f24a8e251746b
- SSDEEP
  
  1536:ppNHxITk6KB7BFw/bPQqDiXqQbX6u8xNxKy7YYJUV8u7OLN/4cXeXvubKrFEwMEj:hDO0y7YYJUj7cNwago+bAr+Qka
Score

10^/10

gozi banker isfb persistence trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerisfbpersistencetrojan

behavioral2