gozi | 8d89606427eeaf7fca903d0b940cec31e03e93b5b5ee7e620d1944aa70469e85 | Triage

Resubmissions

01-06-2024 18:34

240601-w76kmsca62 10

01-06-2024 18:27

240601-w3wjwabg56 10

Sharing

General

Target

injector_build.zip
Size

8KB
Sample

240601-w3wjwabg56
MD5

5e475aefad0255db8384381cee0df7b0
SHA1

efd65b003211aee84e5f770d786458f5aadbafff
SHA256

8d89606427eeaf7fca903d0b940cec31e03e93b5b5ee7e620d1944aa70469e85
SHA512

35d63a3060ed1a30e66b7029e3ab13de19de8c253315efdb484a6085edb5c21de3862f8fe093cbf35023f93b414b684e1ae3f1e6559223f4db3c160ac7a04e86
SSDEEP

192:t2fq259obpfsxZy/FJBk88rgfnNOyGN/YNMfTgfUQL4q9qtu:Gq25Wpfqy/F7k88u/GNOMfkcQkq9qtu

Score

10^/10

gozi banker isfb spyware stealer trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  injector_build.zip
- Size
  
  8KB
- MD5
  
  5e475aefad0255db8384381cee0df7b0
- SHA1
  
  efd65b003211aee84e5f770d786458f5aadbafff
- SHA256
  
  8d89606427eeaf7fca903d0b940cec31e03e93b5b5ee7e620d1944aa70469e85
- SHA512
  
  35d63a3060ed1a30e66b7029e3ab13de19de8c253315efdb484a6085edb5c21de3862f8fe093cbf35023f93b414b684e1ae3f1e6559223f4db3c160ac7a04e86
- SSDEEP
  
  192:t2fq259obpfsxZy/FJBk88rgfnNOyGN/YNMfTgfUQL4q9qtu:Gq25Wpfqy/F7k88u/GNOMfkcQkq9qtu
Score

1^/10
behavioral1
- Target
  
  injector.exe
- Size
  
  12KB
- MD5
  
  ea74d941f3d9b92bd05de9ef96b5f6c5
- SHA1
  
  e912ddd0828cbef8ff6555818fabf06e235d08f5
- SHA256
  
  fe6a6d1e57b00eef714b1e3bedbc96a786f6749d6eb822bc14a7a7e4913ce1b0
- SHA512
  
  11cdb3412abb0acfc3598f89741691094147bd421d0f4fd21cc66bff3797e40e9ff0c8f913821b898759d67e852584fb868e705c4fa217618589f8078b2a3213
- SSDEEP
  
  192:61Cs6L8OVuRWCfIvzYknpp4r0xv0iSe8GA7HaN+Xdzl4PFUZ8izxH8J+IBy:dsOxCfIvzFB5XE6OzlakrtHqo
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbspywarestealertrojan