gozi | f5e56a262514ad5036a1fbe91e3c9ebedf0d874e2d95a91cb7e9693f60d8d33e | Triage

Sharing

General

Target

DATA DPR.exe
Size

920KB
Sample

240529-r34g9shf4t
MD5

a94f55d81f838e77fa3e5187c72e0f95
SHA1

72ab38cf2aa50c7358a0faa6d077b91d0898d20d
SHA256

f5e56a262514ad5036a1fbe91e3c9ebedf0d874e2d95a91cb7e9693f60d8d33e
SHA512

081f71a423a063fc566eba681a47c57bc2248fbcd20b451f6c9ac781c9d5061f89556a878b9559a1d0aa153d8b55610ab27b80ecbadc880eeb3b607d88fb1e8f
SSDEEP

24576:AMHDEzlk8VnuAibycLXe3tJACKnHMpxh:AUDEC8puAkW3tJAjnHO

Score

10^/10

gozi banker isfb spyware stealer trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  DATA DPR.exe
- Size
  
  920KB
- MD5
  
  a94f55d81f838e77fa3e5187c72e0f95
- SHA1
  
  72ab38cf2aa50c7358a0faa6d077b91d0898d20d
- SHA256
  
  f5e56a262514ad5036a1fbe91e3c9ebedf0d874e2d95a91cb7e9693f60d8d33e
- SHA512
  
  081f71a423a063fc566eba681a47c57bc2248fbcd20b451f6c9ac781c9d5061f89556a878b9559a1d0aa153d8b55610ab27b80ecbadc880eeb3b607d88fb1e8f
- SSDEEP
  
  24576:AMHDEzlk8VnuAibycLXe3tJACKnHMpxh:AUDEC8puAkW3tJAjnHO
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbspywarestealertrojan