gozi | 06375dc0d376733b6e3764173d4b6c64821c37b3f98eb259313147ac1b76ee0f | Triage

Sharing

General

Target

5d963ad1a178286933bd64aee3fec2e0_NeikiAnalytics.exe
Size

163KB
Sample

240522-yyweesfa44
MD5

5d963ad1a178286933bd64aee3fec2e0
SHA1

22d961b16a4d779a88449f18d78a894f84f7a2d0
SHA256

06375dc0d376733b6e3764173d4b6c64821c37b3f98eb259313147ac1b76ee0f
SHA512

ac715ed11b56c4dc7dd62930a05080a5a4690eef942acf775a7cc25357b70a1c700a256f16b6e11cea6ef1fcc88baef0e43226f31efb0defb0cdf6868faa0c29
SSDEEP

1536:Ps2UYi2aWUNU6ka7tPph8FdD111111111111111111111111111111111n11p11G:UJ2a3C6dyhHE8ltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  5d963ad1a178286933bd64aee3fec2e0_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  5d963ad1a178286933bd64aee3fec2e0
- SHA1
  
  22d961b16a4d779a88449f18d78a894f84f7a2d0
- SHA256
  
  06375dc0d376733b6e3764173d4b6c64821c37b3f98eb259313147ac1b76ee0f
- SHA512
  
  ac715ed11b56c4dc7dd62930a05080a5a4690eef942acf775a7cc25357b70a1c700a256f16b6e11cea6ef1fcc88baef0e43226f31efb0defb0cdf6868faa0c29
- SSDEEP
  
  1536:Ps2UYi2aWUNU6ka7tPph8FdD111111111111111111111111111111111n11p11G:UJ2a3C6dyhHE8ltOrWKDBr+yJb
Score

10^/10

gozi banker isfb persistence trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerisfbpersistencetrojan

behavioral2

gozibankerisfbpersistencetrojan