gozi | 4de0c950d827416a221fa9be09a7b251c1dcadfe1996658fb6be120daf083360 | Triage

Sharing

General

Target

01ca7362531bcbc3b69ae7ff77ee0650_NeikiAnalytics
Size

163KB
Sample

240510-rxbkasea42
MD5

01ca7362531bcbc3b69ae7ff77ee0650
SHA1

b0695cfe9cc5cd23b5252b244e08faa5db1e6ee2
SHA256

4de0c950d827416a221fa9be09a7b251c1dcadfe1996658fb6be120daf083360
SHA512

5626948b8ad8d3f95d0f89d5388910805b7540997d29a2a4662a9f493dbbc913b44e31ee89f44a02123301f16809cdc7daa9823c1af2e32eeeba5649950fb4e0
SSDEEP

1536:PqSXRGFkavNU2n0mkMhOlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:dB5G620WhOltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  01ca7362531bcbc3b69ae7ff77ee0650_NeikiAnalytics
- Size
  
  163KB
- MD5
  
  01ca7362531bcbc3b69ae7ff77ee0650
- SHA1
  
  b0695cfe9cc5cd23b5252b244e08faa5db1e6ee2
- SHA256
  
  4de0c950d827416a221fa9be09a7b251c1dcadfe1996658fb6be120daf083360
- SHA512
  
  5626948b8ad8d3f95d0f89d5388910805b7540997d29a2a4662a9f493dbbc913b44e31ee89f44a02123301f16809cdc7daa9823c1af2e32eeeba5649950fb4e0
- SSDEEP
  
  1536:PqSXRGFkavNU2n0mkMhOlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:dB5G620WhOltOrWKDBr+yJb
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan