gozi

Sharing

Copy URL

Twitter E-mail

General

Target

Roblox Executor.zip
Size

1.1MB
Sample

240602-mzfjtabg48
MD5

3d9de2969e08f6e887c7597c10f92946
SHA1

cb23f9b26cdd56afe3d43c0f8e026cd5f6a803f6
SHA256

d94fb310f5d8011facffe3ae89f5824fea7f6235c97972f11d8e9b05f3647d5a
SHA512

8833907d84211815bcf9ee38a329b84ed3e9b4fb7326deebcb97d67d48906a30490307059569aaf3046f980762920000194fcccce7dd9ee53f8864a85857a208
SSDEEP

24576:rJsNJm7t/vhlQwIom0yweNvZLkarcb63X0coffqkJ:rJsqBvIoKPjrce3X01RJ

Score

10^/10

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  Roblox Executor.zip
- Size
  
  1.1MB
- MD5
  
  3d9de2969e08f6e887c7597c10f92946
- SHA1
  
  cb23f9b26cdd56afe3d43c0f8e026cd5f6a803f6
- SHA256
  
  d94fb310f5d8011facffe3ae89f5824fea7f6235c97972f11d8e9b05f3647d5a
- SHA512
  
  8833907d84211815bcf9ee38a329b84ed3e9b4fb7326deebcb97d67d48906a30490307059569aaf3046f980762920000194fcccce7dd9ee53f8864a85857a208
- SSDEEP
  
  24576:rJsNJm7t/vhlQwIom0yweNvZLkarcb63X0coffqkJ:rJsqBvIoKPjrce3X01RJ
Score

1^/10
behavioral1 behavioral2
- Target
  
  Totally Not Pasted/autoexecute/test.txt
- Size
  
  69B
- MD5
  
  8117b088670ace343038cc9e404d5448
- SHA1
  
  b293a8ea46badf3268312b03ffdcbd87936070d2
- SHA256
  
  f7a90e5208841b920b622e0c94eb32653daa297c07d3f8e4abd532201dd5165f
- SHA512
  
  574acf89b137f2ea2259ec704e76ac04fab40a4166f1b5957fc5701bffbefb25ea8d5e1efadc5a2c7249acd6bde419c759589b37f073b162b25bed29ee677d26
Score

1^/10
behavioral3 behavioral4
- Target
  
  Totally Not Pasted/bin/api-docs.json
- Size
  
  5.9MB
- MD5
  
  19c541f355cad5fb427a38317479b698
- SHA1
  
  aebc5b3b123ab962606b6072806027d9b6c758e9
- SHA256
  
  6c003208304e585290c9a655c51e5789c4f3e4241a9abc0139a9dbeb5d2884b1
- SHA512
  
  78e3cbe554cdf02457a3892033ebd9f74c5b4446e306248594d682918ea5dc6e52cafe72b3bdf59fda1f9f5b3879576ca1ef2d35cebc66f1d55543b618bcf7e5
- SSDEEP
  
  24576:7ccjk1+ox2ptidmo2KtMTdxsuBqXhGz+rM:hiVuBqXhGz+rM
Score

3^/10
behavioral5 behavioral6
- Target
  
  Totally Not Pasted/bin/incognito-luau.dll
- Size
  
  1.3MB
- MD5
  
  157fd035b2a344a94166d7db3756df0e
- SHA1
  
  f221d28c1deb80b4e8d9201226435aefce6b0f75
- SHA256
  
  8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009
- SHA512
  
  fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d
- SSDEEP
  
  24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk
Score

1^/10
behavioral7 behavioral8
- Target
  
  Totally Not Pasted/bin/save.json
- Size
  
  46B
- MD5
  
  877b13372acbf8bf740694d141d1aeb0
- SHA1
  
  0c764bef8a7c94ef610c129720d3d3d9a66fea3f
- SHA256
  
  1bc3e6bcf3d47756fe6e456ce68165d39ea8358186d1a9bb4b2e5911389b22c1
- SHA512
  
  38a6a7e7bf9572daeabbafb7bb1868d09f9b487e84e17da263f627315623952ab203c8dc5e940b6d59d15183bdd43d153a08ae421f12d085480e73fcbc3b5b82
Score

3^/10
behavioral10 behavioral9
- Target
  
  Totally Not Pasted/scripts/test.lua
- Size
  
  15B
- MD5
  
  45952b4f4540d4ea32b1a56b40dfcb54
- SHA1
  
  c43f61758aede460274cbe0a7a52ed3a8e06201a
- SHA256
  
  819627eee839b974a3a9905ea4f98b1fce63b9ef68a9a1030b39c52ec2046999
- SHA512
  
  5fae4efa4037c96b3012e825e1041ecb419b8b6ce6eeb2f4667228874ddb7be48137d9118dc676e6d1f430e71f68809837e4caea8fd65f6100624e63abb81e8a
Score

3^/10
behavioral11 behavioral12
- Target
  
  Totally Not Pasted/thegreatestexploit.exe
- Size
  
  11KB
- MD5
  
  b255f2988558b9dbc3cc5a9814803364
- SHA1
  
  6cab200559f340364b3a3cea3cf321e7d32cec97
- SHA256
  
  f2a05b8bcb63042b9af36a0aa52bca8ae9de5664edc6bb1a46499ab9516e4ae5
- SHA512
  
  5bcf60d73069c15087cce591b4f3bf125b3649528758068859c6ef510b811c336962afdc20ee29a805a90fd7eff98ae7b97062035666144ae0e78d19796773d3
- SSDEEP
  
  192:598Jf9mV2Xm51Mpa0kGea0ICntHvl7QYrm/sxn8Ft1eSwcU1r:59AoMpauL0/vhQYKUxsjJd8
Score

10^/10

gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14
- Target
  
  Totally Not Pasted/workspace/.tests/appendfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral15 behavioral16
- Target
  
  Totally Not Pasted/workspace/.tests/getcustomasset.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral17 behavioral18
- Target
  
  Totally Not Pasted/workspace/.tests/isfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral19 behavioral20
- Target
  
  Totally Not Pasted/workspace/.tests/listfiles/test_1.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral21 behavioral22
- Target
  
  Totally Not Pasted/workspace/.tests/listfiles/test_2.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral23 behavioral24
- Target
  
  Totally Not Pasted/workspace/.tests/loadfile.txt
- Size
  
  1B
- MD5
  
  8fa14cdd754f91cc6554c9e71929cce7
- SHA1
  
  4a0a19218e082a343a1b17e5333409af9d98f0f5
- SHA256
  
  252f10c83610ebca1a059c0bae8255eba2f95be4d1d7bcfa89d7248a82d9f111
- SHA512
  
  711c22448e721e5491d8245b49425aa861f1fc4a15287f0735e203799b65cffec50b5abd0fddd91cd643aeb3b530d48f05e258e7e230a94ed5025c1387bb4e1b
Score

1^/10
behavioral25 behavioral26
- Target
  
  Totally Not Pasted/workspace/.tests/readfile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral27 behavioral28
- Target
  
  Totally Not Pasted/workspace/.tests/writefile
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral29 behavioral30
- Target
  
  Totally Not Pasted/workspace/.tests/writefile.txt
- Size
  
  7B
- MD5
  
  260ca9dd8a4577fc00b7bd5810298076
- SHA1
  
  53a5687cb26dc41f2ab4033e97e13adefd3740d6
- SHA256
  
  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
- SHA512
  
  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32