gozi | 1b0fddf78b55d7a75648338952ab366ec874dd46b2833d3e23e685cdff5791fe | Triage

Sharing

General

Target

ae7aad44e9c92ae97d8bb55591bc9210_NeikiAnalytics.exe
Size

163KB
Sample

240520-e8a2pace9v
MD5

ae7aad44e9c92ae97d8bb55591bc9210
SHA1

787b844ec25a28ec8402a66ec077d9b80027d745
SHA256

1b0fddf78b55d7a75648338952ab366ec874dd46b2833d3e23e685cdff5791fe
SHA512

f39195458e30212196ff8d848ab3b3ec4a736b2b4b24c9c830f2a36e1bd9d6ca59bf06a63cbd9ae52e1ad15306cf18b9f250f3fc3b0288febcb342db8b37a449
SSDEEP

1536:Pdjrn9A1kblUCRikATIproFjfIOLXlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:RTC4xAT2oFjfIObltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  ae7aad44e9c92ae97d8bb55591bc9210_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  ae7aad44e9c92ae97d8bb55591bc9210
- SHA1
  
  787b844ec25a28ec8402a66ec077d9b80027d745
- SHA256
  
  1b0fddf78b55d7a75648338952ab366ec874dd46b2833d3e23e685cdff5791fe
- SHA512
  
  f39195458e30212196ff8d848ab3b3ec4a736b2b4b24c9c830f2a36e1bd9d6ca59bf06a63cbd9ae52e1ad15306cf18b9f250f3fc3b0288febcb342db8b37a449
- SSDEEP
  
  1536:Pdjrn9A1kblUCRikATIproFjfIOLXlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:RTC4xAT2oFjfIObltOrWKDBr+yJb
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan