gozi | c0ab00c594a4a0e37567f2646b17c1343e0d5c6df5fa23b513729570ab1c26e0 | Triage

Sharing

General

Target

9efa61d7b1d1e6c2f306a15557a53da0_NeikiAnalytics.exe
Size

163KB
Sample

240519-h59mmagc56
MD5

9efa61d7b1d1e6c2f306a15557a53da0
SHA1

3acebadce708dfc319013df4b5c391fb4ad15686
SHA256

c0ab00c594a4a0e37567f2646b17c1343e0d5c6df5fa23b513729570ab1c26e0
SHA512

913ec73f27fe7bb6ffd7871a4b94ca91e33cde6d14f5974bfde828063f851eb2c9f0cb430b29728b9d81cd70a3a510f607fe9f59ada826d9ba27bda042d5a072
SSDEEP

1536:PSTy8yi0ku3P8hH9vpDJw15pAnzi36pxYtH2MOpeBSnlProNVU4qNVUrk/9QbfBR:aTyxD4ikwIltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  9efa61d7b1d1e6c2f306a15557a53da0_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  9efa61d7b1d1e6c2f306a15557a53da0
- SHA1
  
  3acebadce708dfc319013df4b5c391fb4ad15686
- SHA256
  
  c0ab00c594a4a0e37567f2646b17c1343e0d5c6df5fa23b513729570ab1c26e0
- SHA512
  
  913ec73f27fe7bb6ffd7871a4b94ca91e33cde6d14f5974bfde828063f851eb2c9f0cb430b29728b9d81cd70a3a510f607fe9f59ada826d9ba27bda042d5a072
- SSDEEP
  
  1536:PSTy8yi0ku3P8hH9vpDJw15pAnzi36pxYtH2MOpeBSnlProNVU4qNVUrk/9QbfBR:aTyxD4ikwIltOrWKDBr+yJb
Score

10^/10

gozi banker isfb persistence trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerisfbpersistencetrojan

behavioral2

gozibankerisfbpersistencetrojan