gozi | 12e3bf7f5ada97ddbbe2df095da92819baf4b380fa7340b6c7a1d1de813f8ae1

Sharing

Copy URL Twitter E-mail

General

Target

BlackHatWorm.zip
Size

1.1MB
Sample

240901-qckrss1hmd
MD5

3db85caa2bcd54ccb3ecd59cc99f4d3b
SHA1

b267e63f3ba531c839a86c8621db7e590b061e39
SHA256

12e3bf7f5ada97ddbbe2df095da92819baf4b380fa7340b6c7a1d1de813f8ae1
SHA512

17efd70cb89061542322bade7ddad3bdce69ca21fe151a457f69f66667963166cf7c335d77e730ddf3cfcab7638a2725f370a316e5707301b9b30437ed92d459
SSDEEP

24576:E0NrXTw7mSbpk6/39DnjS+9Qax2O3lqkmWfwD1F7+qGiiQedUGbcyk9:EcXTmmIpk+NrhGx+qhW4DTKq4sP/

Score

10^/10

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  Black Hat Worm/Black Hat Worm/BlackHatWorm.exe
- Size
  
  1.1MB
- MD5
  
  ff2d2c4638eabb42aea87ae084f65a6c
- SHA1
  
  7599c0c6ac507470ec8c85e9efa9f7bada802feb
- SHA256
  
  65c71566954fa20c2806222a6fdfaf4129f16954a89d9e50821aa2d27c41d89f
- SHA512
  
  b7864facd647afcbd436a80b3b60dc6b47137e96daa4d087fb0ec0ffc8e36e2c0305424f37cb5a2b3960cb38310b9403f79af83e68dadddb4f591a1389ed2ada
- SSDEEP
  
  6144:PbnV479d+YiP3Y3QvevhEtHvSFCW9fQNmn6lCPDA2h:Z4/+YiP3Y3QveuHvSFC5lC7A4
Score

8^/10

discovery execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  Black Hat Worm/Black Hat Worm/Mono.Cecil.dll
- Size
  
  263KB
- MD5
  
  cc0bc97cb18ac4e7c6f4decf0218a127
- SHA1
  
  8901c4a54995aed5e786dda0928905bcb98242e2
- SHA256
  
  ea592e7ba43cb057966778b0027c0d6e7ce9672741b5d3c8c927d48918366183
- SHA512
  
  e5865188de26c7e8d71c000224626d7dd0b26a5542acc9bf8f7974f5cb595386fd25e6e425ecaf57550e12600c6f37670a19a3a361381c10b97f9a26d1cfd856
- SSDEEP
  
  3072:Ko8MptdteyB+kknlDeYJgM67aBsPvVIoPbAFhA+9+qk7o++++9+OddQIZ9c1nquO:Ko8Icybkl6YJgMHgdnqujDbDW4i8XS
Score

1^/10
behavioral3 behavioral4
- Target
  
  Black Hat Worm/Black Hat Worm/Stub.exe
- Size
  
  27KB
- MD5
  
  61412b139cee2cbfc910525ae5f19799
- SHA1
  
  b126b4d26c64e199f76e3d3b32ac573b8cc5d71e
- SHA256
  
  1f13f94ef64afacddbd774d06b118cd1ca21e02851d423a6f4e7037452c804af
- SHA512
  
  d443f29f0610e2b28a23dcf62a965ded8cbbda4d410df35177904828b15bed18449d86ad2a13121967e12e4fa5c9fa4ffcb46ee049e7ad5f2401035ac018b099
- SSDEEP
  
  384:yDLeyHNTOogtXkUkDSvCjSux+RfXLTFF4PytCCJc/tj9l13oln+:yDtHN+QjSuEtLJE9ly+
Score

1^/10
behavioral5 behavioral6
- Target
  
  Black Hat Worm/Black Hat Worm/Worm.exe
- Size
  
  26KB
- MD5
  
  057326449c3eadbc10272dacb5a5094e
- SHA1
  
  00489d4b9364b08ec5a94256aeb49f2085886d2c
- SHA256
  
  e30bdc9096d64fbf37392c5541940564133ed9c90c7cbd7494befa5c4770dd2f
- SHA512
  
  f49ae816904969bc46288835f9ca94cff137b57e7cc59a6d32092014c997d0ef75db4fdbb088819ecf523d89e3e0be002a55e8b4728849ac27e058c9a219ea0b
- SSDEEP
  
  384:bgVw3YIqaUdnqK393AjAu62WZxnO5NbJwzXlp6NaUk6p67ag6b8m4QA8jS74:kVwIqUwsuxJccDb8vEq4
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8