gozi | 8eebed272994240553654294949b8390a7009fb3a3ca66dc071d87f64209d986 | Triage

Submit
Reports

Overview

overview

Static

static

3

RX7??????/...??.exe

windows7-x64

7

RX7??????/...??.exe

windows10-1703-x64

RX7??????/...??.exe

windows10-2004-x64

7

RX7??????/...??.exe

windows11-21h2-x64

7

Sharing

General

Target

RX7劫持远程控制.zip
Size

14.1MB
Sample

240629-m9c7fawenc
MD5

e4fdacf80aac030ca8c13921d58d9258
SHA1

5bcc4c05171da69e9cfb647904e744269cbc197e
SHA256

8eebed272994240553654294949b8390a7009fb3a3ca66dc071d87f64209d986
SHA512

7fbe13097d6bc84d8d5c4020ac57e7ad4be5f702e741fe40e81dfcd39b02426dfad5d971e055a9facd4ef1dde2358f27868eb5e6302462b09164a2e998a47d1b
SSDEEP

196608:p37i71DuF7IdEdCQty+9r5XwFvpXoC5bq6x/3AT1SUK+4gt7rMur2VmLxgW:pLixDwdCir5cpXrQK3Ax54aQhW

Score

10^/10

gozi banker defense_evasion isfb privilege_escalation trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RX7??????/RX7??????.exe

Resource

win7-20240221-en

defense_evasion privilege_escalation upx

windows7-x64

16 signatures

300 seconds

Behavioral task

behavioral2

Sample

RX7??????/RX7??????.exe

Resource

win10-20240404-en

gozi banker defense_evasion isfb privilege_escalation trojan upx

windows10-1703-x64

26 signatures

300 seconds

Behavioral task

behavioral3

Sample

RX7??????/RX7??????.exe

Resource

win10v2004-20240508-en

defense_evasion privilege_escalation upx

windows10-2004-x64

23 signatures

300 seconds

Behavioral task

behavioral4

Sample

RX7??????/RX7??????.exe

Resource

win11-20240419-en

defense_evasion privilege_escalation upx

windows11-21h2-x64

24 signatures

300 seconds

Malware Config

Extracted

Family

gozi

Targets

- Target
  
  RX7??????/RX7??????.exe
- Size
  
  9.0MB
- MD5
  
  9bb985a8d656695e7145b476f5843d9b
- SHA1
  
  692349d245063578785f536eff53e74cb2ed3e8f
- SHA256
  
  016c08c41d90c4824da1a0986cb76ff50fd529ad699b6fdb02ce2b9bcdcd7fa1
- SHA512
  
  5ea151ae0e88a16e908e5fe5446248095e8aed337617b375dae00cbf01cd7c93153c37315bb20f6579b7a17e908e8f8873577e680a387dc54da535f6c3756430
- SSDEEP
  
  98304:bhR4VT3Qs1nkoqshkmafkVsKys31+9KiugFWQJtbGkPQlrW5pDwffds7p8PLC4G/:dmVjTVkoNnekL3wDBP2yiW7LnM/kVa92
Score

10^/10

defense_evasion privilege_escalation upx gozi banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

Create Process with Token

Defense Evasion

Access Token Manipulation

Create Process with Token

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

defense_evasionprivilege_escalationupx

behavioral2

gozibankerdefense_evasionisfbprivilege_escalationtrojanupx

behavioral3

defense_evasionprivilege_escalationupx

behavioral4

defense_evasionprivilege_escalationupx

© 2018-2024

Terms | Privacy