gozi | 92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4 | Triage

Submit
Reports

Overview

overview

Static

static

3

92d37f9699...b4.exe

windows7-x64

92d37f9699...b4.exe

windows10-2004-x64

Sharing

General

Target

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4
Size

199KB
Sample

241108-b22paavlhq
MD5

b6472d999d771b922bf1c1b9e5da1c07
SHA1

b346bea7343dc739dad96e78d0a6a9fbff64d3f9
SHA256

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4
SHA512

fd0c5a1ead59f238fa4288dcfb08570c366ff7a5cfc4e78eca05284b7f75cb9f2fb7825064d5e2d48a9340d6c092a4605e803cb87f6f4882a510fe43dccc0cfd
SSDEEP

6144:g1BpcJrVKdeOPLTlKYoT4byFgUcVydDeT:UBHMOPXljoTHPn6T

Score

10^/10

gozi banker discovery isfb persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Resource

win7-20240903-en

gozi banker discovery isfb persistence trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Resource

win10v2004-20241007-en

gozi banker discovery isfb persistence trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

gozi

rsa_pubkey.plain

Targets

- Target
  
  92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4
- Size
  
  199KB
- MD5
  
  b6472d999d771b922bf1c1b9e5da1c07
- SHA1
  
  b346bea7343dc739dad96e78d0a6a9fbff64d3f9
- SHA256
  
  92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4
- SHA512
  
  fd0c5a1ead59f238fa4288dcfb08570c366ff7a5cfc4e78eca05284b7f75cb9f2fb7825064d5e2d48a9340d6c092a4605e803cb87f6f4882a510fe43dccc0cfd
- SSDEEP
  
  6144:g1BpcJrVKdeOPLTlKYoT4byFgUcVydDeT:UBHMOPXljoTHPn6T
Score

10^/10

gozi banker discovery isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozibankerdiscoveryisfbpersistencetrojan

behavioral2

gozibankerdiscoveryisfbpersistencetrojan

© 2018-2024

Terms | Privacy