gozi | 0d28bffbc18947f5b5948a9a2377fb54ba1b37117c0bbee9e51fdeeab5805608

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53884f3120767d42dabef87b63e0d6b9cbb3be425f842c458d95d2b017dbe5c0.dll
Size

291KB
MD5

7098317fa62001df2fbfb2ad4b2f153a
SHA1

b9f0f53a1770ef080151407f1c2df845eae380fc
SHA256

53884f3120767d42dabef87b63e0d6b9cbb3be425f842c458d95d2b017dbe5c0
SHA512

8b53f9fdbd27a12a5a4cfc64c52c1163f1656b5af7ef0beaca0b485573383ed9b1d615f36b635659108d01f8f5f3207fcc10485d449e98e5f37cb550c0643ebd
SSDEEP

6144:GdNpq2chxLhtrEEx+8BwSjIjaN2l+htHH20fFCfcVtaK:o3chxlt8+jjAa2l+r2U4fct

Score

10^/10

gozi 9094 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

9094

google.mail.com

firsone1.online

kdsjdsadas.online

Attributes

base_path
/jkloll/
build
250211
dga_season
10
exe_type
loader
extension
.mki
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31
PID 2592 wrote to memory of 1748	2592	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\53884f3120767d42dabef87b63e0d6b9cbb3be425f842c458d95d2b017dbe5c0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\53884f3120767d42dabef87b63e0d6b9cbb3be425f842c458d95d2b017dbe5c0.dll
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-0-0x0000000010026000-0x0000000010028000-memory.dmp

Filesize
8KB

Download
memory/1748-1-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/1748-2-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1748-5-0x0000000010026000-0x0000000010028000-memory.dmp

Filesize
8KB

Download
memory/1748-7-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads