gozi | 0eb64bdbcabb0ca927dd7fae97e2cabce438a63bcf72d19b4e8dd75ebadc8a88 | Triage

Submit
Reports

Overview

overview

Static

static

3

b4fe51a467...18.exe

windows7-x64

b4fe51a467...18.exe

windows10-2004-x64

Sharing

General

Target

b4fe51a46727b61c1f6e4fa7b5012837_JaffaCakes118
Size

236KB
Sample

240616-yz2b3awbla
MD5

b4fe51a46727b61c1f6e4fa7b5012837
SHA1

9a513e9efc6ea9281b3df900e551d4108077832c
SHA256

0eb64bdbcabb0ca927dd7fae97e2cabce438a63bcf72d19b4e8dd75ebadc8a88
SHA512

9c8e4ff8b3941e8e4c5dd0af89b8a757b94abf48c32069653be59518bfdbd3db1c3ac1f53ef128634ad2461b2ae57f819231a4da15d7f657ee8375f7c2b2a9cb
SSDEEP

3072:Qv5SYl6fCyKvEMcDHSHwirYFYNDwsdoBjSqkCo7u7ZmSrC1qJE/:QBF6KyCvlrYy8sdGmUo7u7wt0e

Score

10^/10

gozi 1000 banker isfb persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b4fe51a46727b61c1f6e4fa7b5012837_JaffaCakes118.exe

Resource

win7-20231129-en

gozi 1000 banker isfb persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

b4fe51a46727b61c1f6e4fa7b5012837_JaffaCakes118.exe

Resource

win10v2004-20240508-en

gozi 1000 banker isfb persistence trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

musicvideotips.ru

musicvideoporntips.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  b4fe51a46727b61c1f6e4fa7b5012837_JaffaCakes118
- Size
  
  236KB
- MD5
  
  b4fe51a46727b61c1f6e4fa7b5012837
- SHA1
  
  9a513e9efc6ea9281b3df900e551d4108077832c
- SHA256
  
  0eb64bdbcabb0ca927dd7fae97e2cabce438a63bcf72d19b4e8dd75ebadc8a88
- SHA512
  
  9c8e4ff8b3941e8e4c5dd0af89b8a757b94abf48c32069653be59518bfdbd3db1c3ac1f53ef128634ad2461b2ae57f819231a4da15d7f657ee8375f7c2b2a9cb
- SSDEEP
  
  3072:Qv5SYl6fCyKvEMcDHSHwirYFYNDwsdoBjSqkCo7u7ZmSrC1qJE/:QBF6KyCvlrYy8sdGmUo7u7wt0e
Score

10^/10

gozi 1000 banker isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi1000bankerisfbpersistencetrojan

behavioral2

gozi1000bankerisfbpersistencetrojan

© 2018-2024

Terms | Privacy