gozi | 0e55ce415a1abd393810616a746386db91e84afc0366e8b0865618e367da1aba | Triage

Sharing

General

Target

4cd62c7ec791eaa6bd1e98ba88a1fed0_NeikiAnalytics.exe
Size

163KB
Sample

240612-3g8qmsvfke
MD5

4cd62c7ec791eaa6bd1e98ba88a1fed0
SHA1

deb5a9563f72c1b7150a0d93d8e3a5d74b7cda68
SHA256

0e55ce415a1abd393810616a746386db91e84afc0366e8b0865618e367da1aba
SHA512

2abba0ccc276081702d85472800d40c28b37952b699dc10e87317da8d38ed85347f2b71cec3c30fd8849a577c72e85d6457c0a79626824509eac51a7f49e6503
SSDEEP

1536:PnE+mkrAiYoOAUs39etMdewzx96o3qH2ilProNVU4qNVUrk/9QbfBr+7GwKrPAsf:sUrkmneYtaHLltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  4cd62c7ec791eaa6bd1e98ba88a1fed0_NeikiAnalytics.exe
- Size
  
  163KB
- MD5
  
  4cd62c7ec791eaa6bd1e98ba88a1fed0
- SHA1
  
  deb5a9563f72c1b7150a0d93d8e3a5d74b7cda68
- SHA256
  
  0e55ce415a1abd393810616a746386db91e84afc0366e8b0865618e367da1aba
- SHA512
  
  2abba0ccc276081702d85472800d40c28b37952b699dc10e87317da8d38ed85347f2b71cec3c30fd8849a577c72e85d6457c0a79626824509eac51a7f49e6503
- SSDEEP
  
  1536:PnE+mkrAiYoOAUs39etMdewzx96o3qH2ilProNVU4qNVUrk/9QbfBr+7GwKrPAsf:sUrkmneYtaHLltOrWKDBr+yJb
Score

10^/10

gozi banker isfb persistence trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerisfbpersistencetrojan

behavioral2

gozibankerisfbpersistencetrojan