gozi | 7c9a748d42690c2f2e7f3018d32d3219481051719e44076c5c28c61facb81743 | Triage

Submit
Reports

Overview

overview

Static

static

7

0490ade50f...18.exe

windows7-x64

0490ade50f...18.exe

windows10-2004-x64

Sharing

General

Target

0490ade50ff45e406d37ca916cd81631_JaffaCakes118
Size

11KB
Sample

240620-k11v2atcll
MD5

0490ade50ff45e406d37ca916cd81631
SHA1

141df525ec7d7408f44b6dd4bec45f96903e91e6
SHA256

7c9a748d42690c2f2e7f3018d32d3219481051719e44076c5c28c61facb81743
SHA512

ce8c98951a9a21ac1bafddad08ee1a9e7abd29583dade44b51c37dcf519e42792efa5de011f4d784b1a62bf4b001707dfec416e1447edca996d7faa30f4cd850
SSDEEP

192:OL0D3fFmJGZ+BPfqRX9IuYS47BudEQltO2OZvcYXAaww9cjBg3iQq4+9jDN0+be:OgfgJGspBqGOO2IbXAaww9uuiB4UjDif

Score

10^/10

gozi banker isfb persistence privilege_escalation trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0490ade50ff45e406d37ca916cd81631_JaffaCakes118.exe

Resource

win7-20240508-en

gozi banker isfb persistence privilege_escalation trojan upx

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

0490ade50ff45e406d37ca916cd81631_JaffaCakes118.exe

Resource

win10v2004-20240508-en

gozi banker isfb persistence privilege_escalation trojan upx

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  0490ade50ff45e406d37ca916cd81631_JaffaCakes118
- Size
  
  11KB
- MD5
  
  0490ade50ff45e406d37ca916cd81631
- SHA1
  
  141df525ec7d7408f44b6dd4bec45f96903e91e6
- SHA256
  
  7c9a748d42690c2f2e7f3018d32d3219481051719e44076c5c28c61facb81743
- SHA512
  
  ce8c98951a9a21ac1bafddad08ee1a9e7abd29583dade44b51c37dcf519e42792efa5de011f4d784b1a62bf4b001707dfec416e1447edca996d7faa30f4cd850
- SSDEEP
  
  192:OL0D3fFmJGZ+BPfqRX9IuYS47BudEQltO2OZvcYXAaww9cjBg3iQq4+9jDN0+be:OgfgJGspBqGOO2IbXAaww9uuiB4UjDif
Score

10^/10

gozi banker isfb persistence privilege_escalation trojan upx
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

AppInit DLLs

Privilege Escalation

Event Triggered Execution

AppInit DLLs

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gozibankerisfbpersistenceprivilege_escalationtrojanupx

behavioral2

gozibankerisfbpersistenceprivilege_escalationtrojanupx

© 2018-2024

Terms | Privacy