gozi | 59f02c2c87f02a687c1977b6afccfbf662ba6e9e0ab4b4b8522b42278967b490 | Triage

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:15

Sharing

Report Analysis Logs

General

Target

KMSAuto Lite Portable v1.3.5.3/KMSAuto x64.exe
Size

1.6MB
MD5

91138712e5e691a39175f02f145681e6
SHA1

43a00a96fa01e9d4b38b50694dc09ddc3e54939b
SHA256

da87f54817fa427a78a3376e887013c8981e92e4394edaa210bc6557a6ca6930
SHA512

fdb1b99c51ca5a4a3910c46a276d54833161e427d97a9f65b7ad3b4732b4f36fba90ff71f9895cf128f863c903f6ac15e82dd224277bf17ccc5003f2bd6d2ff3
SSDEEP

49152:GG7X7Xfq0Xdqm66MzsNjGgnwuqL6DDf8T:9DjRdqm6LWKgne0s

Score

10^/10

gozi banker isfb trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2320-0-0x0000000140000000-0x0000000140607000-memory.dmp	upx
behavioral1/memory/2320-1-0x0000000140000000-0x0000000140607000-memory.dmp	upx

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

KMSAuto x64.exe

pid process

2320 KMSAuto x64.exe
2320 KMSAuto x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

KMSAuto x64.exe

description	pid	process	target process
PID 2320 wrote to memory of 1968	2320	KMSAuto x64.exe	cmd.exe
PID 2320 wrote to memory of 1968	2320	KMSAuto x64.exe	cmd.exe
PID 2320 wrote to memory of 1968	2320	KMSAuto x64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite Portable v1.3.5.3\KMSAuto x64.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite Portable v1.3.5.3\KMSAuto x64.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
2⤵
PID:1968

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2320-0-0x0000000140000000-0x0000000140607000-memory.dmp

Filesize
6.0MB

Download
memory/2320-1-0x0000000140000000-0x0000000140607000-memory.dmp

Filesize
6.0MB

Download