gozi | 5b35c785af680dbd1ce4b17ff9b8e4e55bc6ec00c565dd4657d92812d1aaca09 | Triage

Sharing

General

Target

0de3d6fb7d8130562e6d639dd9783720_NeikiAnalytics.exe
Size

163KB
Sample

240524-sef8haaa5w
MD5

0de3d6fb7d8130562e6d639dd9783720
SHA1

8b146bc57163f3f4aecd6afc99116517c5ee3fb4
SHA256

5b35c785af680dbd1ce4b17ff9b8e4e55bc6ec00c565dd4657d92812d1aaca09
SHA512

1949d5dc91179e15e0e6f7ba20bc4a6787f1bc8a5e45153c6e1df3b0ae7157fb30fdab4241b4fca3f49d8e38a0a594960a335e4f70c080cb13b91bfe0f932a45
SSDEEP

3072:NW21hbgwUG53s/qqkzaltOrWKDBr+yJb:N8/q5zaLOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  0de3d6fb7d8130562e6d639dd9783720_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  0de3d6fb7d8130562e6d639dd9783720
- SHA1
  
  8b146bc57163f3f4aecd6afc99116517c5ee3fb4
- SHA256
  
  5b35c785af680dbd1ce4b17ff9b8e4e55bc6ec00c565dd4657d92812d1aaca09
- SHA512
  
  1949d5dc91179e15e0e6f7ba20bc4a6787f1bc8a5e45153c6e1df3b0ae7157fb30fdab4241b4fca3f49d8e38a0a594960a335e4f70c080cb13b91bfe0f932a45
- SSDEEP
  
  3072:NW21hbgwUG53s/qqkzaltOrWKDBr+yJb:N8/q5zaLOf
Score

10^/10

gozi banker isfb persistence trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozibankerisfbpersistencetrojan

behavioral2