Overview

overview

10

Static

static

10

13afd28bc3...8a.exe

windows7-x64

10

13afd28bc3...8a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13afd28bc31c09e22573900f082dd1cd99fcdda625ed405da209114268f8398a

  • Size

    163KB

  • Sample

    240514-xhdn1aah8x

  • MD5

    03e82c38b4a49dcc13f13018246ad4e4

  • SHA1

    be77ce0b1fc33da8e91d5ea2a193512c8fcb7576

  • SHA256

    13afd28bc31c09e22573900f082dd1cd99fcdda625ed405da209114268f8398a

  • SHA512

    e1bcb394604d59ed7731b265c3d21a48b3bddbb6b8f1f30125324d27f04c17e95b611ddf0ff1c611dd590952781d1567c2095c43c098b95817a479d25b520a30

  • SSDEEP

    1536:PLx/xmtXHA4oMtwMGagQvPmqQjA8x+lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:j8HAFawPaHGt9x+ltOrWKDBr+yJb

Score
10/10
gozibankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Targets

    • Target

      13afd28bc31c09e22573900f082dd1cd99fcdda625ed405da209114268f8398a

    • Size

      163KB

    • MD5

      03e82c38b4a49dcc13f13018246ad4e4

    • SHA1

      be77ce0b1fc33da8e91d5ea2a193512c8fcb7576

    • SHA256

      13afd28bc31c09e22573900f082dd1cd99fcdda625ed405da209114268f8398a

    • SHA512

      e1bcb394604d59ed7731b265c3d21a48b3bddbb6b8f1f30125324d27f04c17e95b611ddf0ff1c611dd590952781d1567c2095c43c098b95817a479d25b520a30

    • SSDEEP

      1536:PLx/xmtXHA4oMtwMGagQvPmqQjA8x+lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:j8HAFawPaHGt9x+ltOrWKDBr+yJb

    Score
    10/10
    persistencegozibankerisfbtrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Detects executables built or packed with MPress PE compressor

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks