gozi | 2719c83d48bd5c92751bf2a92988400edccb034bba1486a985a84fe7a7e480af | Triage

Sharing

General

Target

d7b7c299fb7682df0831e32b18111640N
Size

163KB
Sample

240910-zaxg9atfkl
MD5

d7b7c299fb7682df0831e32b18111640
SHA1

16d81f4ab6ff73917f0cec8faca3917e391f01a5
SHA256

2719c83d48bd5c92751bf2a92988400edccb034bba1486a985a84fe7a7e480af
SHA512

33948c5edeb066e08ce463a3e2841d7053992d2c909d1357f9ddd91ac4ff6f0faf843626e3e036d256d72c9af88ff1df20263e8a1dc69f08fc483d961526c855
SSDEEP

3072:teLYKW7RV0gbebeQP+yHu0NZReUzxltOrWKDBr+yJb:MW7RV0gqq6VOixzxLOf

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  d7b7c299fb7682df0831e32b18111640N
- Size
  
  163KB
- MD5
  
  d7b7c299fb7682df0831e32b18111640
- SHA1
  
  16d81f4ab6ff73917f0cec8faca3917e391f01a5
- SHA256
  
  2719c83d48bd5c92751bf2a92988400edccb034bba1486a985a84fe7a7e480af
- SHA512
  
  33948c5edeb066e08ce463a3e2841d7053992d2c909d1357f9ddd91ac4ff6f0faf843626e3e036d256d72c9af88ff1df20263e8a1dc69f08fc483d961526c855
- SSDEEP
  
  3072:teLYKW7RV0gbebeQP+yHu0NZReUzxltOrWKDBr+yJb:MW7RV0gqq6VOixzxLOf
Score

10^/10

discovery persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

gozibankerdiscoveryisfbpersistencetrojan