Extracted

• • Target

    RNSM00281.7z

  • Size

    8.3MB

  • MD5

    b3cbda3981676b194a7913ac174b3051

  • SHA1

    5945bbb76d5c488f49775e009cd44bbbc469ed09

  • SHA256

    67c46af78643577175e2b0529cc9f6d4e90ee1dcb57db0a427cd8f648fb67d14

  • SHA512

    bca3e77ce210be97098a7ca4878aa77689c5147a0f41cf70df11cf093aae866837455af2156bf8ee10fb756e103d15493e07767b854741de6f1cb0b65db604b3

  • SSDEEP

    196608:gqeLVyehU5T52aFW+wBr3+O27mzaWD/5W+EFal9erizC3:SnhCTPwBKZ9Wr5qIHmiw

  Score

  10^/10

  gozibankerbootkitdefense_evasiondiscoveryisfbpersistencespywarestealertrojan

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi

  • Gozi family

    gozi

  • Contacts a large (7699) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • System Binary Proxy Execution: Verclsid

    Adversaries may abuse Verclsid to proxy execution of malicious code.

    defense_evasion

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1