Overview

overview

10

Static

static

1.bat

windows7_x64

1.bat

windows10_x64

10

Analysis

  • max time kernel
    1193s
  • max time network
    1195s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    07-09-2021 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.bat

  • Size

    5B

  • MD5

    53f31a089339194f333d2e3995dbb05e

  • SHA1

    d929c82d2ee727ccbea9c50c669a71075249899f

  • SHA256

    86b0c5a1e2b73b08fd54c727f4458649ed9fe3ad1b6e8ac9460c070113509a1e

  • SHA512

    d6f0e8c65e1fe60e81be2aee69b09b9a5df7519dff082cc4e51a705fb044a34db7198b40d480df0a048e32a7d2cf0c4090d64af123a5d852c21c8a35de4ff3fc

Score
10/10
gozi_ifsb1500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

atl.bigbigpoppa.com

pop.urlovedstuff.com
Attributes
  • build

    250211

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 39 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    1⤵
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\Windows\explorer.exe
          explorer .
          3⤵
            PID:2096
          • C:\Windows\system32\cscript.exe
            cscript 1.vbs
            3⤵
              PID:2616
            • C:\Windows\system32\notepad.exe
              notepad 1.txt
              3⤵
                PID:3868
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Program Files\7-Zip\7zG.exe
              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\1\" -spe -an -ai#7zMap20883:82:7zEvent24520
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:2596
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\98915.txt"
              2⤵
                PID:3372
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:772
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2716
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3032
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -c get-filehash -algo sha256 Jason.bin
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2184
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -c get-filehash -algo sha256 Janos.bin
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2096
                  • C:\Windows\system32\rundll32.exe
                    rundll32 Janos.bin,DllRegisterServer
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2440
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32 Janos.bin,DllRegisterServer
                      4⤵
                      • Blocklisted process makes network request
                      • Loads dropped DLL
                      PID:1036
              • C:\Windows\system32\calc.exe
                calc.exe
                1⤵
                • Process spawned unexpected child process
                • Modifies registry class
                PID:2924
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:3204

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                MD5

                ea6243fdb2bfcca2211884b0a21a0afc

                SHA1

                2eee5232ca6acc33c3e7de03900e890f4adf0f2f

                SHA256

                5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

                SHA512

                189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                MD5

                2143b379fed61ab5450bab1a751798ce

                SHA1

                32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

                SHA256

                a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

                SHA512

                0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                MD5

                f93bd7d721758b9a4f242b4643201bb8

                SHA1

                f418c2a282f3f5428cdb7c9d35cca502b21aac4a

                SHA256

                48fed95ae39b31ffcdb9323cf9eb4cf2a7cbbf51773a46625365942b908866dd

                SHA512

                8b0e2bfd98a11b7944ea2a47f9d85166e85fc04970460191f761d7e0e5c079806ebcfd7ecc774ef1cb293f504a916fdbac9722b728f79b88c6ea1ce9ea9a75a6

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                MD5

                fee2f5cdf424dcbd216c6099664c45de

                SHA1

                170fba8e1db81ed6a63d4dc358be0dfa334b1fda

                SHA256

                47824ae9f708546cdb0e20b2fd294eeca0270f96f38b33ce794913f5b2464657

                SHA512

                274fccb01804c98c4e267722f463fe531e46d0cce7c107259bbdd6af9d58839f572fe6684494d46add1383fdc526dcdd8fecfe2f881e8c6ac215499a9c30ac40

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\1\1.txt
                MD5

                432ee3697333147d2a0d894260145a10

                SHA1

                d62becb24ccb991eecea420e2953a01b2003a8a2

                SHA256

                c5003cf7d3f9c4060035f778bb99b0587a21df40643ce8d78a042953e52baa95

                SHA512

                9585aefb53beb1b65c17410c6c35b631895de369fb7c2641ccb7bdce1c20bc18c1f2fa9703f723efde9f0d3068e8f232e79c0f506faa63904752cba498cbc4bc

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\1\1.vbs
                MD5

                3c464445b71c82c22643ef4487a60b4e

                SHA1

                badb3bcb867bc8f38a14c10a1b7f3d657b0384ec

                SHA256

                33a3aed542dbc22eaf74a6f7c1cb9dbd0beefd323af8ef067be74945e798463e

                SHA512

                dae017d4e64f9bc831ce184bc5a4f991e2306bedb15f00038ca39486694ca274cb97d163bcf0cef4b2d12df3279d0fad0eeb2a24dde5bf15205b1cab5bd43593

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\1\start[710980].vbs
                MD5

                207568c3acb35b681b9ebd15881ba124

                SHA1

                c7f0f8b2dedef6e44fa8d5083d7f162bc2a6d8c2

                SHA256

                7c942f875e29c8ac867f4d4cf98610d6ad1c2292812e0d072f729c422ed32487

                SHA512

                76bd367710c6fae7f540c527f2083b05a05f883e68274a5f88ed3a0153a0919f8a10a056ab2e4ced842b767c0d86e6fb85a93af1ea7fe35b855e4662c7006be4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\Janos.bin
                MD5

                3ee784b20a405a7b032728a7bcac456c

                SHA1

                d1b224481e428fc86e9c55e2ff138b30b5cfbfab

                SHA256

                3fd290e335098184c8c2973272660f506c89f329a37cf590608863d002333386

                SHA512

                7f5dd561e321b3787e65b478aab720ac8aeb95034567c3b942184b6f35f011474415ba5714488a968815a7351e0c44b129d686877392225a2aeca361aab7adac

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
                MD5

                96a5b608546e746260bccc0c7e7ef54b

                SHA1

                9e7c0ff2701aeb81f8fcad71a65653aaf41a3aab

                SHA256

                f0edd6eb312cba7446d58766c2b8b99d3210e240a7e32b77b4f11c5098286624

                SHA512

                e26b8a5e27839af0dcd5e756d9e9ef9471c356c3154b12fe668949d7c1ef9050039cbe64802166e432fa0e2b3ea3850e6c037a8de48e7bb4243a81a4271e23eb

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                MD5

                59c24265037836a8dc65ce2d4fb4e300

                SHA1

                614b0386de656ab5ac953781bab42b2fdc952c0c

                SHA256

                05e799a1892667611f180937ec5d1f63fa32b285accb90f58ba37cace4e58334

                SHA512

                dfdfde229d4648e85ce4a8674fbaa5e73ddc36b0f6d58135a6dcd582b575941a5fad4fff61daeb17addd3e248382929e58a6dad392997ec36bada7e6c56bfc74

                Download Submit
              • C:\Users\Admin\Downloads\98915.txt
                MD5

                207568c3acb35b681b9ebd15881ba124

                SHA1

                c7f0f8b2dedef6e44fa8d5083d7f162bc2a6d8c2

                SHA256

                7c942f875e29c8ac867f4d4cf98610d6ad1c2292812e0d072f729c422ed32487

                SHA512

                76bd367710c6fae7f540c527f2083b05a05f883e68274a5f88ed3a0153a0919f8a10a056ab2e4ced842b767c0d86e6fb85a93af1ea7fe35b855e4662c7006be4

                Download Submit
              • \Users\Admin\AppData\Local\Temp\Janos.bin
                MD5

                3ee784b20a405a7b032728a7bcac456c

                SHA1

                d1b224481e428fc86e9c55e2ff138b30b5cfbfab

                SHA256

                3fd290e335098184c8c2973272660f506c89f329a37cf590608863d002333386

                SHA512

                7f5dd561e321b3787e65b478aab720ac8aeb95034567c3b942184b6f35f011474415ba5714488a968815a7351e0c44b129d686877392225a2aeca361aab7adac

                Download Submit
              • memory/936-152-0x0000023C41E93000-0x0000023C41E95000-memory.dmp
                Filesize

                8KB

                Download
              • memory/936-120-0x0000023C41E60000-0x0000023C41E61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/936-151-0x0000023C41E90000-0x0000023C41E92000-memory.dmp
                Filesize

                8KB

                Download
              • memory/936-150-0x0000023C5C4C0000-0x0000023C5C4C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/936-139-0x0000023C5C400000-0x0000023C5C401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1036-300-0x0000000000000000-mapping.dmp
                Download
              • memory/1036-304-0x0000000073BC0000-0x0000000073BCE000-memory.dmp
                Filesize

                56KB

                Download
              • memory/1036-305-0x0000000073BC0000-0x0000000073C28000-memory.dmp
                Filesize

                416KB

                Download
              • memory/1036-306-0x0000000000490000-0x0000000000491000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1196-167-0x0000000000000000-mapping.dmp
                Download
              • memory/2096-298-0x00000290D6BE6000-0x00000290D6BE8000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2096-291-0x00000290D6BE3000-0x00000290D6BE5000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2096-290-0x00000290D6BE0000-0x00000290D6BE2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2096-170-0x0000000000000000-mapping.dmp
                Download
              • memory/2096-272-0x0000000000000000-mapping.dmp
                Download
              • memory/2184-270-0x000001B57F216000-0x000001B57F218000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2184-269-0x000001B57F213000-0x000001B57F215000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2184-268-0x000001B57F218000-0x000001B57F219000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2184-267-0x000001B57F210000-0x000001B57F212000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2184-242-0x0000000000000000-mapping.dmp
                Download
              • memory/2440-299-0x0000000000000000-mapping.dmp
                Download
              • memory/2596-171-0x0000000000000000-mapping.dmp
                Download
              • memory/2616-172-0x0000000000000000-mapping.dmp
                Download
              • memory/2716-235-0x00000250BA9E8000-0x00000250BA9E9000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2716-234-0x00000250A2830000-0x00000250A2831000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2716-233-0x00000250BA9E6000-0x00000250BA9E8000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2716-196-0x00000250BA9E3000-0x00000250BA9E5000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2716-194-0x00000250BA9E0000-0x00000250BA9E2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3032-241-0x0000000000000000-mapping.dmp
                Download
              • memory/3372-178-0x0000000000000000-mapping.dmp
                Download
              • memory/3868-174-0x0000000000000000-mapping.dmp
                Download