gozi | e2b1777d6ba9aeac4101580777d4902863951e469046325b120e5ac0031aa866 | Triage

Sharing

General

Target

72a3927017a698813a6ebad6e603f5c0N.exe
Size

163KB
Sample

240727-aq1r6svbll
MD5

72a3927017a698813a6ebad6e603f5c0
SHA1

68871a523cb5a686e043fd8b48408caac2150a8b
SHA256

e2b1777d6ba9aeac4101580777d4902863951e469046325b120e5ac0031aa866
SHA512

c34063abb20411eeff9069c031d241022b38803f8422303068e81afe777f7e8cb507b33bad4d3ae902019cef14668d84dfc4bd94cee086e9d7886dd3bd987ee6
SSDEEP

3072:ZEhAdQJYrAW8nMLK1BultOrWKDBr+yJb:OhA8nn/uLOf

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  72a3927017a698813a6ebad6e603f5c0N.exe
- Size
  
  163KB
- MD5
  
  72a3927017a698813a6ebad6e603f5c0
- SHA1
  
  68871a523cb5a686e043fd8b48408caac2150a8b
- SHA256
  
  e2b1777d6ba9aeac4101580777d4902863951e469046325b120e5ac0031aa866
- SHA512
  
  c34063abb20411eeff9069c031d241022b38803f8422303068e81afe777f7e8cb507b33bad4d3ae902019cef14668d84dfc4bd94cee086e9d7886dd3bd987ee6
- SSDEEP
  
  3072:ZEhAdQJYrAW8nMLK1BultOrWKDBr+yJb:OhA8nn/uLOf
Score

10^/10

discovery persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

discoverypersistence

behavioral2

gozibankerdiscoveryisfbpersistencetrojan