gozi | 1e70357f5dc9cdf75a19bc27e711652dee9713b7f189aa1fed85165952b59217 | Triage

Sharing

General

Target

ab546cc4b51ffb2c213bea7a64439140_NeikiAnalytics.exe
Size

163KB
Sample

240517-ffttrsab89
MD5

ab546cc4b51ffb2c213bea7a64439140
SHA1

2a56612258ffdc8cf28b430423123f306280ebd3
SHA256

1e70357f5dc9cdf75a19bc27e711652dee9713b7f189aa1fed85165952b59217
SHA512

bb03bec5e4424afedcf8647717178ab3f4b72be71fd99f64b707aef0d1b0d080db43144574b065c1139682bca9867d4ea39675b09b8895fe401fa06540980084
SSDEEP

1536:PKFhyOTx5fxHPqVU4ToY0+et3mylProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:s4gvOoY0rcyltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  ab546cc4b51ffb2c213bea7a64439140_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  ab546cc4b51ffb2c213bea7a64439140
- SHA1
  
  2a56612258ffdc8cf28b430423123f306280ebd3
- SHA256
  
  1e70357f5dc9cdf75a19bc27e711652dee9713b7f189aa1fed85165952b59217
- SHA512
  
  bb03bec5e4424afedcf8647717178ab3f4b72be71fd99f64b707aef0d1b0d080db43144574b065c1139682bca9867d4ea39675b09b8895fe401fa06540980084
- SSDEEP
  
  1536:PKFhyOTx5fxHPqVU4ToY0+et3mylProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:s4gvOoY0rcyltOrWKDBr+yJb
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan