Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    47s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-06-2022 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    225KB

  • MD5

    4d0774579b6e4be41c687982347b5a41

  • SHA1

    4359e5993bbce3794d0fc1a51a147d2b6b67d7bb

  • SHA256

    7ae2c953f8142f668650d11f0bc7f042e249ee8456b2255f71a51a84ca94c756

  • SHA512

    ee4177f6624cb932f5e5c5cad0c27eabdb9ed7250e8133d177561c79c82bcba43d3d781db2af85d06fb7899f23158e94abb3b143f62ac971234ef617cd784a28

Score
10/10
gozi_ifsb1500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

apghn.msn.com

188.126.76.221
Attributes
  • base_path

    /budweiser/

  • build

    250235

  • exe_type

    loader

  • extension

    .bbu

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:1980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 112
        2⤵
        • Program crash
        PID:856

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/856-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1980-56-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1980-54-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1980-64-0x0000000000401D58-mapping.dmp
      Download
    • memory/1980-65-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1980-66-0x0000000076421000-0x0000000076423000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1980-68-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1980-69-0x00000000002A0000-0x00000000002AD000-memory.dmp
      Filesize

      52KB

      Download