Overview

overview

10

Static

static

3

loader.exe

windows7-x64

3

loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    loader.exe

  • Size

    11KB

  • Sample

    240530-3vg5vaeh4z

  • MD5

    6654b1945e364bbbfc8db4523116f1b4

  • SHA1

    a86f8c2b4f92a5b0334782ef1316b2ed8d053134

  • SHA256

    95ab3090e9ccf9df22689e7edbf25ff261421b79c5dd96e473774bfcfb44df16

  • SHA512

    1c7ff65874cf1b662384a248f66a7547eb9321157f09a58c6500ece02b96095eacbbce960ecfda0d1a1a8a04e097066dd0571740c474f076b98f03964ec636b4

  • SSDEEP

    192:5U8JN0Uq+/7m21DQ8rpJlqH+XAUNEpRoffY3HWJic75TPkaw5:5U4/qMB1EaqH8ABVOKaw

Score
10/10
gozibankerisfbspywarestealertrojan

Malware Config

Extracted

Family

gozi

Targets

    • Target

      loader.exe

    • Size

      11KB

    • MD5

      6654b1945e364bbbfc8db4523116f1b4

    • SHA1

      a86f8c2b4f92a5b0334782ef1316b2ed8d053134

    • SHA256

      95ab3090e9ccf9df22689e7edbf25ff261421b79c5dd96e473774bfcfb44df16

    • SHA512

      1c7ff65874cf1b662384a248f66a7547eb9321157f09a58c6500ece02b96095eacbbce960ecfda0d1a1a8a04e097066dd0571740c474f076b98f03964ec636b4

    • SSDEEP

      192:5U8JN0Uq+/7m21DQ8rpJlqH+XAUNEpRoffY3HWJic75TPkaw5:5U4/qMB1EaqH8ABVOKaw

    Score
    10/10
    gozibankerisfbspywarestealertrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks