gozi | 81f3c9ef76877647a56874054c58756d67e512ad55a0ab273dfa5e88dddd7c5c | Triage

Submit
Reports

Overview

overview

Static

static

3

tster.exe

windows10-2004-x64

tster.exe

windows11-21h2-x64

Sharing

General

Target

tster.exe
Size

11KB
Sample

240602-3f34rsba6x
MD5

feb6fd23d005b8d70446866b206042f8
SHA1

d7d01f6639e0f060e91a35949f9bf346aa0ea81a
SHA256

81f3c9ef76877647a56874054c58756d67e512ad55a0ab273dfa5e88dddd7c5c
SHA512

20f86fa77e079bd3794c32e793a9adb79ad7d847ca8d74591321153330dfa9aa15d11279b45a9497fec910b58533cdeedc293858fa29d20ffb80f96d519c70da
SSDEEP

192:52R8JP/PCS+plrpcV5K9+JPiukknPfhTx0ujmN+LKyOLi:58Q/a9plrpcVI9SKQfgutKyOL

Score

10^/10

gozi banker isfb spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tster.exe

Resource

win10v2004-20240508-en

gozi banker isfb spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

tster.exe

Resource

win11-20240508-en

gozi banker isfb spyware stealer trojan

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  tster.exe
- Size
  
  11KB
- MD5
  
  feb6fd23d005b8d70446866b206042f8
- SHA1
  
  d7d01f6639e0f060e91a35949f9bf346aa0ea81a
- SHA256
  
  81f3c9ef76877647a56874054c58756d67e512ad55a0ab273dfa5e88dddd7c5c
- SHA512
  
  20f86fa77e079bd3794c32e793a9adb79ad7d847ca8d74591321153330dfa9aa15d11279b45a9497fec910b58533cdeedc293858fa29d20ffb80f96d519c70da
- SSDEEP
  
  192:52R8JP/PCS+plrpcV5K9+JPiukknPfhTx0ujmN+LKyOLi:58Q/a9plrpcVI9SKQfgutKyOL
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozibankerisfbspywarestealertrojan

behavioral2

gozibankerisfbspywarestealertrojan

© 2018-2024

Terms | Privacy