gozi

General

Target

SkeetSpoofer.rar
Size

3.1MB
Sample

240602-pmtxsace2x
MD5

97529b0672a921476342765ed9912a79
SHA1

78fe6847666072f9c10e6490c3fc26d5255141d5
SHA256

d951abd01209f18b5b3ca2eb53babaefbe2db7cbe6abd1f2f902d69b29be5027
SHA512

ffc6e03b4d78634ae69c1d8e5ba1f31ed015efc125aa1490827b7ab2917913289067560d25d7ad2a3aad4fdffe681fea81b6442ecb588f598f0e6f4f66abd569
SSDEEP

49152:3375rCMzDMfF9HUClrBcPtxKxWTspUwluoccg3Dm+1HQ1VG4VCjTrGmv6eeE2Aqf:hHDg/8QWI11M4YjDvPMf

Score

10^/10

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  SkeetSpoofer.exe
- Size
  
  3.1MB
- MD5
  
  095d7a80e91925833bd6054e093eeb33
- SHA1
  
  4cfe20ac2e16de55ee5e4bf9179aead560a83b9b
- SHA256
  
  f968f78250a95d7b49fe220552d5b5d75a181fadbff9fad4934099b2c9ca7606
- SHA512
  
  ef17ba8d03ed6676eb9881dc88c1c91e25ee2144418611e998069dae8c41452ff47f177d9ff66dcb893a142bcffce5b57e72cc6521cb9a355b27990d03609b76
- SSDEEP
  
  98304:zv+ctl4+5F2Fu9vrt1fS9FZCAfXXXPZodjTM2:E+WFu9Tt18xfXPuj3
Score

10^/10

gozi banker evasion execution isfb spyware stealer themida trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1