gozi | c96907020c1616a90a271fff4cffc039d145217d1b86f2fd6c064a352d29da0a | Triage

Sharing

General

Target

abd782bd29dd78a3fb2536e77c6b00a3_NeikiAnalytics.exe
Size

163KB
Sample

240520-lktbpaec9s
MD5

abd782bd29dd78a3fb2536e77c6b00a3
SHA1

bfc22058f091f11f7e0e68ee6c1d9e4aad9d6634
SHA256

c96907020c1616a90a271fff4cffc039d145217d1b86f2fd6c064a352d29da0a
SHA512

6e53b92733128b2c29d0edfbfc705b3af61a544bb12323a672f265b184fe64dc83732ab3adec8a55f513a61c94f5e1faaefd186ecaa80bd4493da0c8864de79a
SSDEEP

1536:PSlpvAt1aWET7gdPa2xlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:IvGEP0asltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  abd782bd29dd78a3fb2536e77c6b00a3_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  abd782bd29dd78a3fb2536e77c6b00a3
- SHA1
  
  bfc22058f091f11f7e0e68ee6c1d9e4aad9d6634
- SHA256
  
  c96907020c1616a90a271fff4cffc039d145217d1b86f2fd6c064a352d29da0a
- SHA512
  
  6e53b92733128b2c29d0edfbfc705b3af61a544bb12323a672f265b184fe64dc83732ab3adec8a55f513a61c94f5e1faaefd186ecaa80bd4493da0c8864de79a
- SSDEEP
  
  1536:PSlpvAt1aWET7gdPa2xlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:IvGEP0asltOrWKDBr+yJb
Score

10^/10

persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gozibankerisfbpersistencetrojan