gozi | 34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e | Triage

Submit
Reports

Overview

overview

Static

static

3

bc4d2fd23a...18.exe

windows7-x64

bc4d2fd23a...18.exe

windows10-2004-x64

Sharing

General

Target

bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118
Size

816KB
Sample

240618-q8q9fswfqc
MD5

bc4d2fd23a3ca94216443cea23381b54
SHA1

7f3c793c3c6414d223f5ce7d5090bb9dc2dcd709
SHA256

34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e
SHA512

4f7ede4877feccbeb063cf7a2c9bcfe5c9e31f0336800f92c42259153724682599d466aa7500f344c6c370e3b300b3dc3ee4212f00b655bddc2a79fbafe0d5e9
SSDEEP

12288:6crq243ICNz1TJ987E77JALCkUBmke6dfDKT2UD4w3E1/JoV0TCV+Z:6e4d1q7o7Bkz3NDSpyG6+Z

Score

10^/10

gozi 1000 banker collection isfb persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118.exe

Resource

win7-20231129-en

gozi 1000 banker collection isfb persistence trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118.exe

Resource

win10v2004-20240611-en

gozi 1000 banker collection isfb persistence trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

purbs.com

makarcheck.com

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  bc4d2fd23a3ca94216443cea23381b54_JaffaCakes118
- Size
  
  816KB
- MD5
  
  bc4d2fd23a3ca94216443cea23381b54
- SHA1
  
  7f3c793c3c6414d223f5ce7d5090bb9dc2dcd709
- SHA256
  
  34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e
- SHA512
  
  4f7ede4877feccbeb063cf7a2c9bcfe5c9e31f0336800f92c42259153724682599d466aa7500f344c6c370e3b300b3dc3ee4212f00b655bddc2a79fbafe0d5e9
- SSDEEP
  
  12288:6crq243ICNz1TJ987E77JALCkUBmke6dfDKT2UD4w3E1/JoV0TCV+Z:6e4d1q7o7Bkz3NDSpyG6+Z
Score

10^/10

gozi 1000 banker collection isfb persistence trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozi1000bankercollectionisfbpersistencetrojan

behavioral2

gozi1000bankercollectionisfbpersistencetrojan

© 2018-2024

Terms | Privacy