Overview

overview

10

Static

static

10

ad31fdc24b...58.exe

windows7-x64

10

ad31fdc24b...58.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad31fdc24bf08ff3caa4ca62cc7e0228b93c0f6ffc571f6f44ba182520d80958

  • Size

    163KB

  • Sample

    240607-fsdnbaaa8t

  • MD5

    0f7ab0fd414567e38cba4f60e2cfe680

  • SHA1

    f0a4ddaa0e1dfa915300b9ba657379d60fe3e231

  • SHA256

    ad31fdc24bf08ff3caa4ca62cc7e0228b93c0f6ffc571f6f44ba182520d80958

  • SHA512

    d116bbbfe9d596e7aadd11c150cea73ae1b048fbfcdcf49df25b7c08bc080c06293878448168426db411040f02a089e2314101a3ed15d3905f863828a1d037b6

  • SSDEEP

    3072:2bSkUg5LLn0RMf6ADqMltOrWKDBr+yJb:2bSkUg5LLn0yf6+qMLOf

Score
10/10
gozibankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Targets

    • Target

      ad31fdc24bf08ff3caa4ca62cc7e0228b93c0f6ffc571f6f44ba182520d80958

    • Size

      163KB

    • MD5

      0f7ab0fd414567e38cba4f60e2cfe680

    • SHA1

      f0a4ddaa0e1dfa915300b9ba657379d60fe3e231

    • SHA256

      ad31fdc24bf08ff3caa4ca62cc7e0228b93c0f6ffc571f6f44ba182520d80958

    • SHA512

      d116bbbfe9d596e7aadd11c150cea73ae1b048fbfcdcf49df25b7c08bc080c06293878448168426db411040f02a089e2314101a3ed15d3905f863828a1d037b6

    • SSDEEP

      3072:2bSkUg5LLn0RMf6ADqMltOrWKDBr+yJb:2bSkUg5LLn0yf6+qMLOf

    Score
    10/10
    gozibankerisfbpersistencetrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Detects executables built or packed with MPress PE compressor

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks