General

  • Target

    09f179936fe1e67f418803cb239fc3612f07b7ff64c8ba63ddd1bc230db8a4b3_NeikiAnalytics

  • Size

    163KB

  • Sample

    240521-glspbsfh38

  • MD5

    371e8864647b6c45d7dbfd98b8ebec40

  • SHA1

    d0bfad08c1356e59c6d34abb53c92e1b247d8004

  • SHA256

    09f179936fe1e67f418803cb239fc3612f07b7ff64c8ba63ddd1bc230db8a4b3

  • SHA512

    3b6ec40de3a89d73dd300ded61a38bd2d2ade0e91641857bd2ddfc1ea2db6e0b5b60044169f4d1f42f6d5eda2e90f571e1250ca419eea8f98d940f4fa01c1440

  • SSDEEP

    1536:P0hDEVGk+Nph/Yy8gba0dNG346lwUA7lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:mEu7EgS/A7ltOrWKDBr+yJb

Malware Config

Extracted

Family

gozi

Targets

    • Target

      09f179936fe1e67f418803cb239fc3612f07b7ff64c8ba63ddd1bc230db8a4b3_NeikiAnalytics

    • Size

      163KB

    • MD5

      371e8864647b6c45d7dbfd98b8ebec40

    • SHA1

      d0bfad08c1356e59c6d34abb53c92e1b247d8004

    • SHA256

      09f179936fe1e67f418803cb239fc3612f07b7ff64c8ba63ddd1bc230db8a4b3

    • SHA512

      3b6ec40de3a89d73dd300ded61a38bd2d2ade0e91641857bd2ddfc1ea2db6e0b5b60044169f4d1f42f6d5eda2e90f571e1250ca419eea8f98d940f4fa01c1440

    • SSDEEP

      1536:P0hDEVGk+Nph/Yy8gba0dNG346lwUA7lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:mEu7EgS/A7ltOrWKDBr+yJb

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks