gozi | 38919d669d09bb862fb10409fda03ab19b19ebf19e23643aa10bad3dfcf5ef91

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

melange.dll
Size

680KB
MD5

e64f11baf4702c7e8c48665e22fab125
SHA1

4e5adc8e8e980f3ddc40edbeb6af2d39545d6f05
SHA256

851cc6fec3ef98671e93301e4e7f0c23458464396d9f8dce7fc4e89802f48ad8
SHA512

88c6294e5254916fa0c93dcd129172978276804db3cde4cb9f757a0c75352373587e33abbb7cb99f6c76b425c1fb325819fa80d9ace138efa5ec8b7f701938c2
SSDEEP

12288:TOgVktK4arTQrNn4Gq0hS7M+M8uFKLrseaCoZSSi7Pq6b4bi:agWtja/QrNn4GqJY8v3sen1Dq3bi

Score

10^/10

gozi 2500 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2500

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2872	2984	rundll32.exe	83
PID 2984 wrote to memory of 2872	2984	rundll32.exe	83
PID 2984 wrote to memory of 2872	2984	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\melange.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\melange.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2872-0-0x00000000754FA000-0x00000000754FE000-memory.dmp

Filesize
16KB

Download
memory/2872-1-0x0000000075450000-0x000000007559B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-2-0x0000000075450000-0x000000007559B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-3-0x0000000000BE0000-0x0000000000BED000-memory.dmp

Filesize
52KB

Download
memory/2872-6-0x0000000075450000-0x000000007559B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-7-0x00000000754FA000-0x00000000754FE000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads