Overview

overview

10

Static

static

5f01a48664...c4.exe

windows7_x64

10

5f01a48664...c4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f01a4866431a17095c1b4b0eb6b6cd4ad221d4ff12bb2466280347abe3b13c4.exe

  • Size

    658KB

  • MD5

    5cecd52c5f7a3a95392c2065e22a65ab

  • SHA1

    295c122ecaa4239532320f0deff4aa94ed92e207

  • SHA256

    5f01a4866431a17095c1b4b0eb6b6cd4ad221d4ff12bb2466280347abe3b13c4

  • SHA512

    a064a5bbd139b8115b37463904126aeab354facfe99c46bb1aed0f8dffabd91a03fe190772b9253f57f5061a75506018c12dfa0bcabee5e957151287bc2385a0

Score
10/10
gozi_ifsb1011bankerpersistencetrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1011

C2

http://h33a7jzovxp2dxfg.onion

http://check.vivianmaierphotos.com

http://mysweetdream.site

http://marcoplfind.at

http://maildeliveryyboys1.at
Attributes
  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\5f01a4866431a17095c1b4b0eb6b6cd4ad221d4ff12bb2466280347abe3b13c4.exe
      "C:\Users\Admin\AppData\Local\Temp\5f01a4866431a17095c1b4b0eb6b6cd4ad221d4ff12bb2466280347abe3b13c4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\system32\control.exe
        C:\Windows\system32\control.exe /?
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
          4⤵
            PID:1588

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Bitsager\Audiudrv.exe
      Filesize

      658KB

      MD5

      5cecd52c5f7a3a95392c2065e22a65ab

      SHA1

      295c122ecaa4239532320f0deff4aa94ed92e207

      SHA256

      5f01a4866431a17095c1b4b0eb6b6cd4ad221d4ff12bb2466280347abe3b13c4

      SHA512

      a064a5bbd139b8115b37463904126aeab354facfe99c46bb1aed0f8dffabd91a03fe190772b9253f57f5061a75506018c12dfa0bcabee5e957151287bc2385a0

      Download Submit
    • memory/1100-66-0x0000000000280000-0x0000000000331000-memory.dmp
      Filesize

      708KB

      Download
    • memory/1100-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1100-67-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1100-72-0x0000000000280000-0x0000000000331000-memory.dmp
      Filesize

      708KB

      Download
    • memory/1268-70-0x0000000004130000-0x00000000041E1000-memory.dmp
      Filesize

      708KB

      Download
    • memory/1460-56-0x0000000000400000-0x00000000004D3000-memory.dmp
      Filesize

      844KB

      Download
    • memory/1460-57-0x00000000769D1000-0x00000000769D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1460-58-0x0000000001DB0000-0x0000000001DFA000-memory.dmp
      Filesize

      296KB

      Download
    • memory/1460-54-0x00000000005AD000-0x00000000005F8000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1460-55-0x00000000002E0000-0x0000000000329000-memory.dmp
      Filesize

      292KB

      Download
    • memory/1588-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1588-71-0x0000000001AD0000-0x0000000001B81000-memory.dmp
      Filesize

      708KB

      Download