gozi | 75fe3d0a85c93e7fbcd12b4da720a92e6d767891d688a2da2ac8df948fb50c33 | Triage

Sharing

General

Target

d220fe663a310f232ac635ee7b9c1530N
Size

163KB
Sample

240910-b56gmssfkf
MD5

d220fe663a310f232ac635ee7b9c1530
SHA1

34fa3edef1a12b6294ece7c25552c3f766d2ec29
SHA256

75fe3d0a85c93e7fbcd12b4da720a92e6d767891d688a2da2ac8df948fb50c33
SHA512

6c9bcd7f07e2386541de70645ef06aefbe43eeaa78682c17c6d92a4fd9c0a1ad057a225179e731b492d37172cc4b9728c0e94db4bf5c7286fe9df66ad25dc9f4
SSDEEP

1536:PN6JwSkk0aAlwJi/KzkYP5DUEcTWwlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:l6JwSkk9wWFPfMWwltOrWKDBr+yJb

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  d220fe663a310f232ac635ee7b9c1530N
- Size
  
  163KB
- MD5
  
  d220fe663a310f232ac635ee7b9c1530
- SHA1
  
  34fa3edef1a12b6294ece7c25552c3f766d2ec29
- SHA256
  
  75fe3d0a85c93e7fbcd12b4da720a92e6d767891d688a2da2ac8df948fb50c33
- SHA512
  
  6c9bcd7f07e2386541de70645ef06aefbe43eeaa78682c17c6d92a4fd9c0a1ad057a225179e731b492d37172cc4b9728c0e94db4bf5c7286fe9df66ad25dc9f4
- SSDEEP
  
  1536:PN6JwSkk0aAlwJi/KzkYP5DUEcTWwlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:l6JwSkk9wWFPfMWwltOrWKDBr+yJb
Score

10^/10

discovery persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

gozibankerdiscoveryisfbpersistencetrojan