gozi | d94ee7c246d69a4476f3770e0407fba97b2f27be1e3038fd6e4524f1437bec0f

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.exe
Size

364KB
MD5

6488c5d6f1d83ea951ff66710f8baf60
SHA1

5c841e63193018b99ccf4f59f72e6fe6a12d153f
SHA256

d94ee7c246d69a4476f3770e0407fba97b2f27be1e3038fd6e4524f1437bec0f
SHA512

bfc373fe4cda92cb0bc949c3592a71c791a2569882df675533fcce61fbb1905159f50375a25a7232ca29862aaa2ca403021792a98a372c73ecc3793ce1c89ee9
SSDEEP

1536:AWzXF8CvrJ4PBhDP35u6hGUlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:Nh8k6DP346hpltOrWKDBr+yJb

Score

10^/10

gozi banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	4888	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Backdoor.Win32.exe

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 220
  2⤵
  - Program crash
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4888-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4888-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download