gozi | 6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6 | Triage

Submit
Reports

Overview

overview

Static

static

6887886f60...f6.exe

windows7-x64

6887886f60...f6.exe

windows10-2004-x64

Sharing

General

Target

6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6
Size

163KB
Sample

240513-171rlsfh2x
MD5

0c71e344d578f042f5ada5dee33701d0
SHA1

df2e6da00479455c64f3a3d31a6bff8b8e23549b
SHA256

6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6
SHA512

648a2f114d3350d6d981a818e64c8a4177a1658d6db8860e6d23dcd9bd74874b17d899ae8d8f2eca731191efddc2b64d0a9ed56a26500bb71cb8fa5b11e2fce4
SSDEEP

1536:PZOnypKk/dRIz14/VPKWs4QCFbr/lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:gyIk/daz2/VP9Znx/ltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6.exe

Resource

win7-20240419-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6.exe

Resource

win10v2004-20240508-en

gozi banker isfb persistence trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6
- Size
  
  163KB
- MD5
  
  0c71e344d578f042f5ada5dee33701d0
- SHA1
  
  df2e6da00479455c64f3a3d31a6bff8b8e23549b
- SHA256
  
  6887886f60df1b5615fc840580183e324a24908a5de4528d191e9dc47190a7f6
- SHA512
  
  648a2f114d3350d6d981a818e64c8a4177a1658d6db8860e6d23dcd9bd74874b17d899ae8d8f2eca731191efddc2b64d0a9ed56a26500bb71cb8fa5b11e2fce4
- SSDEEP
  
  1536:PZOnypKk/dRIz14/VPKWs4QCFbr/lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:gyIk/daz2/VP9Znx/ltOrWKDBr+yJb
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Detects executables built or packed with MPress PE compressor
- UPX dump on OEP (original entry point)
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan

© 2018-2025

Terms | Privacy