gozi | b31e91aa44393ac28366e2dbe207d4836f3e7c4b6e2a972f15fd619bd20c39ee | Triage

Submit
Reports

Overview

overview

Static

static

3

updater.exe

windows10-2004-x64

Sharing

General

Target

updater.exe
Size

11KB
Sample

240601-z585jafc2t
MD5

c12f497b375cd6c00b79767118af3d64
SHA1

df324df4328fa86ae0e7d7bb4f8ee73a224e9f96
SHA256

b31e91aa44393ac28366e2dbe207d4836f3e7c4b6e2a972f15fd619bd20c39ee
SHA512

649a284cc3ed982a686d785890633771e6e3a3cae09d8289938fc16be312fe0c699dc7ea24433b28327b8c3ed2e85a7430d75ab27516ac983eb3e5e9acab2b97
SSDEEP

192:5XYC8JnnVGge8BHm5J4X/5WcfLGp2pab3OwhQJZ0:5XYCy48BcJ4XRjfLdaLOH7

Score

10^/10

gozi banker isfb spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

updater.exe

Resource

win10v2004-20240426-en

gozi banker isfb spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  updater.exe
- Size
  
  11KB
- MD5
  
  c12f497b375cd6c00b79767118af3d64
- SHA1
  
  df324df4328fa86ae0e7d7bb4f8ee73a224e9f96
- SHA256
  
  b31e91aa44393ac28366e2dbe207d4836f3e7c4b6e2a972f15fd619bd20c39ee
- SHA512
  
  649a284cc3ed982a686d785890633771e6e3a3cae09d8289938fc16be312fe0c699dc7ea24433b28327b8c3ed2e85a7430d75ab27516ac983eb3e5e9acab2b97
- SSDEEP
  
  192:5XYC8JnnVGge8BHm5J4X/5WcfLGp2pab3OwhQJZ0:5XYCy48BcJ4XRjfLdaLOH7
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozibankerisfbspywarestealertrojan

© 2018-2024

Terms | Privacy