Overview

overview

10

Static

static

3

41e8873c2a...cs.exe

windows7-x64

10

41e8873c2a...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41e8873c2ad61bb2317d139994029573afbc3913a18b88664b60df655f1bc83d_NeikiAnalytics

  • Size

    163KB

  • Sample

    240521-ntaxtacc83

  • MD5

    e40cce08ca42e6f3ed342aaf4e980150

  • SHA1

    2f61292583e8c7cbc514a664789560cc025bc400

  • SHA256

    41e8873c2ad61bb2317d139994029573afbc3913a18b88664b60df655f1bc83d

  • SHA512

    cd8052916b8dba2284d9552dc6b5d6faac5b18cee73bda6f04aef05d357e0be5dc69385bb5f16a1aff9181dfa86aa64ad0cdcbc2ef6c6e79710dfa81dcfe21ae

  • SSDEEP

    1536:PYiCuVB3wjfSGGMvDId0dAT4aG54k+D+mpv+/lProNVU4qNVUrk/9QbfBr+7GwKn:D7VBlMQ0xaSf/ltOrWKDBr+yJb

Score
10/10
gozibankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Targets

    • Target

      41e8873c2ad61bb2317d139994029573afbc3913a18b88664b60df655f1bc83d_NeikiAnalytics

    • Size

      163KB

    • MD5

      e40cce08ca42e6f3ed342aaf4e980150

    • SHA1

      2f61292583e8c7cbc514a664789560cc025bc400

    • SHA256

      41e8873c2ad61bb2317d139994029573afbc3913a18b88664b60df655f1bc83d

    • SHA512

      cd8052916b8dba2284d9552dc6b5d6faac5b18cee73bda6f04aef05d357e0be5dc69385bb5f16a1aff9181dfa86aa64ad0cdcbc2ef6c6e79710dfa81dcfe21ae

    • SSDEEP

      1536:PYiCuVB3wjfSGGMvDId0dAT4aG54k+D+mpv+/lProNVU4qNVUrk/9QbfBr+7GwKn:D7VBlMQ0xaSf/ltOrWKDBr+yJb

    Score
    10/10
    persistencegozibankerisfbtrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks