gozi | 93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289 | Triage

Sharing

General

Target

72d70e94e54ba232ba3f798699669990_JaffaCakes118
Size

446KB
Sample

241024-h5vhpsycmd
MD5

72d70e94e54ba232ba3f798699669990
SHA1

16f257adf89a56a93a6be45bf470a71d4d570d26
SHA256

93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289
SHA512

e024605c3469c27d470dc2cdb17bdef55507c80feb81969531277f96083d96511ab4e14d16f61f1723e0a97a69f6c201cfb34ac3584da8ba415e5f05582a139d
SSDEEP

12288:rFQyFgwMQsXS3NG5ddoM4YQYgDhgvMph5O0ZcQ:rSyFgTQ9NydHQ3evs15

Score

10^/10

gozi 3000 banker discovery evasion isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

C2

unikymprogress.ru

Attributes

build
214664
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  72d70e94e54ba232ba3f798699669990_JaffaCakes118
- Size
  
  446KB
- MD5
  
  72d70e94e54ba232ba3f798699669990
- SHA1
  
  16f257adf89a56a93a6be45bf470a71d4d570d26
- SHA256
  
  93b1135cdbed6e1bf1269248d28e5a5f74fb5cb234c6385b56d025839bada289
- SHA512
  
  e024605c3469c27d470dc2cdb17bdef55507c80feb81969531277f96083d96511ab4e14d16f61f1723e0a97a69f6c201cfb34ac3584da8ba415e5f05582a139d
- SSDEEP
  
  12288:rFQyFgwMQsXS3NG5ddoM4YQYgDhgvMph5O0ZcQ:rSyFgTQ9NydHQ3evs15
Score

10^/10

gozi 3000 banker discovery evasion isfb persistence ransomware trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Windows security bypass
  evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

gozi3000bankerdiscoveryevasionisfbpersistenceransomwaretrojan

behavioral2