gozi | 76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f | Triage

Sharing

General

Target

Plasmafree.exe
Size

16KB
Sample

240531-1ea1gseb3w
MD5

40e2ed614058109b9b93a33cb8787277
SHA1

503260dd9d33f949613fceef68b6143d8049d913
SHA256

76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f
SHA512

cff8562ef36ba896e546add6f303999a2b09c263ab8b6cb2b9907e3d6835c0af0aa4575639d5e3a0690f77cc8061027465db9621d2a7ecdb8d4261def16a2d28
SSDEEP

384:Qd3kw7ShTvn9G7851TzZfvw1+zWsptYcFwVc03K:Q7ShTy85RlfvwkDtYcFwVc6K

Score

10^/10

gozi banker isfb persistence spyware stealer trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  Plasmafree.exe
- Size
  
  16KB
- MD5
  
  40e2ed614058109b9b93a33cb8787277
- SHA1
  
  503260dd9d33f949613fceef68b6143d8049d913
- SHA256
  
  76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f
- SHA512
  
  cff8562ef36ba896e546add6f303999a2b09c263ab8b6cb2b9907e3d6835c0af0aa4575639d5e3a0690f77cc8061027465db9621d2a7ecdb8d4261def16a2d28
- SSDEEP
  
  384:Qd3kw7ShTvn9G7851TzZfvw1+zWsptYcFwVc03K:Q7ShTy85RlfvwkDtYcFwVc6K
Score

10^/10

gozi banker isfb persistence spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerisfbpersistencespywarestealertrojan