gozi | 5a6a889f9381e40f2e3334dc18f1e77a8ef5ed45d08fb9fe8510348b77cd3401 | Triage

Submit
Reports

Overview

overview

Static

static

3

byfronx.exe

windows7-x64

3

byfronx.exe

windows10-2004-x64

Sharing

General

Target

byfronx_build2.3.zip
Size

9KB
Sample

240602-a9jb8sdb2v
MD5

f06cddbdf537ca9327ba651ecf530449
SHA1

0fca44fa6ad62312be681a983539f88642b00c88
SHA256

5a6a889f9381e40f2e3334dc18f1e77a8ef5ed45d08fb9fe8510348b77cd3401
SHA512

1e4ed2afd66fee23c4c6a15a45da0eaa13386f9525ed2896884642fd608a801002cfa59cc33cc73b3b89dfe58c1f1aa74768a388dd95026bbb7e32cae45a2542
SSDEEP

192:7sh7AO+M+/CjukGKnnjY1rwkrgEnrYg+LrW3ZZ6zkue85Fkp+CA8EN2s6D:s7hmmuqn8I+uwZZ+O7JAtMVD

Score

10^/10

gozi banker isfb spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

byfronx.exe

Resource

win7-20240508-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

byfronx.exe

Resource

win10v2004-20240426-en

gozi banker isfb spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  byfronx.exe
- Size
  
  11KB
- MD5
  
  4d1b12832ef20bf2acaa4e8f10664d0e
- SHA1
  
  c8898fb62b2fc8dd5128ba6f4c4c750737496da7
- SHA256
  
  20af88559726e7022ef0531232bb25a9ec1a4c7fd45ea80ff5d414b9d8e16438
- SHA512
  
  23bd9d057e44890597d39a3d364985d75de25fb6c35791a8ec0beb365f677425ab162d86cbfa8bd10d6c8cfc87986efee1e04ac95d1bb675b9f1042cb64cb34e
- SSDEEP
  
  192:5D8JPEKHC+LcBheE5XDAf72k13QgtCz8/1W+GArT0I7TA0c:5DInHlUhxdDAz2axCz8/1sp
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozibankerisfbspywarestealertrojan

© 2018-2024

Terms | Privacy