gozi | 5b8731fc159eb3d7e49e3e776e2c81231ee1e58ffe1203d0ba7a5188b7c91d67 | Triage

Sharing

General

Target

4108c1be70c23b8e2680436982baf242.exe
Size

163KB
Sample

240517-rrqf9sbf2z
MD5

4108c1be70c23b8e2680436982baf242
SHA1

33019604478208ec43ef2d18a9d3a8c38748a838
SHA256

5b8731fc159eb3d7e49e3e776e2c81231ee1e58ffe1203d0ba7a5188b7c91d67
SHA512

18f14a4fd4583797df9b29cc2e6e40e232f4d52bee289bc4c31dba9e45877130308b3208d4c45564466f767b4f0b5c636e43d051a714db073cd2469af45efac8
SSDEEP

3072:DpA1iUVfuUtA9F//VWKuyZltOrWKDBr+yJb:DpIFzmF1WsZLOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  4108c1be70c23b8e2680436982baf242.exe
- Size
  
  163KB
- MD5
  
  4108c1be70c23b8e2680436982baf242
- SHA1
  
  33019604478208ec43ef2d18a9d3a8c38748a838
- SHA256
  
  5b8731fc159eb3d7e49e3e776e2c81231ee1e58ffe1203d0ba7a5188b7c91d67
- SHA512
  
  18f14a4fd4583797df9b29cc2e6e40e232f4d52bee289bc4c31dba9e45877130308b3208d4c45564466f767b4f0b5c636e43d051a714db073cd2469af45efac8
- SSDEEP
  
  3072:DpA1iUVfuUtA9F//VWKuyZltOrWKDBr+yJb:DpIFzmF1WsZLOf
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan