Overview

overview

10

Static

static

f86750e0d8...c1.exe

windows7-x64

10

f86750e0d8...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f86750e0d8b1082c47d6f9766ab74a98ab95478740f1bdf42030ee8ae9854ac1.exe

  • Size

    3.7MB

  • MD5

    b39c8a5d35fac869aae9f225719f79f4

  • SHA1

    eb32c56672e0bbc68bde452f1c92eb1c5dea04fc

  • SHA256

    f86750e0d8b1082c47d6f9766ab74a98ab95478740f1bdf42030ee8ae9854ac1

  • SHA512

    3ab79d1fdb3254f66d617b1af6f04d4bbcdeb9e6ec6d795f1a3fb18c0dc8ed88cbd0955625aeffeaaa00cd39a06c05ffefbb2ea1cd275c60cbde010d4b3b9ca7

Score
10/10
gozi_ifsb3523bankersuricatatrojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214098

Extracted

Family

gozi_ifsb

Botnet

3523

C2

fortinet.com

symantec.com

z39bldfq.com

r79xhiram81ue.com

mlqlqewh.com
Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    suricata
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f86750e0d8b1082c47d6f9766ab74a98ab95478740f1bdf42030ee8ae9854ac1.exe
    "C:\Users\Admin\AppData\Local\Temp\f86750e0d8b1082c47d6f9766ab74a98ab95478740f1bdf42030ee8ae9854ac1.exe"
    1⤵
      PID:2264
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1848
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1356
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3084 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3608
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5048
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4760

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\59gvihh\imagestore.dat
        Filesize

        478B

        MD5

        14051d35c19031beed8f9c632e10f382

        SHA1

        ccd048d62054a821b238ea6adb7fecf82be77d98

        SHA256

        78e2254dc12d05a92f7c7ba61c926603f3ad40f4796fbff3f8e60b21010b7565

        SHA512

        af734978f8dc4b186a0a014ab754c602a6d23ecea752bc50aa6c86c21bffe2fa2ae3dcaf945ad845ea2cd986c221279f3471c015f48b21c44fb54203d5af0cda

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\59gvihh\imagestore.dat
        Filesize

        478B

        MD5

        14051d35c19031beed8f9c632e10f382

        SHA1

        ccd048d62054a821b238ea6adb7fecf82be77d98

        SHA256

        78e2254dc12d05a92f7c7ba61c926603f3ad40f4796fbff3f8e60b21010b7565

        SHA512

        af734978f8dc4b186a0a014ab754c602a6d23ecea752bc50aa6c86c21bffe2fa2ae3dcaf945ad845ea2cd986c221279f3471c015f48b21c44fb54203d5af0cda

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\59gvihh\imagestore.dat
        Filesize

        478B

        MD5

        14051d35c19031beed8f9c632e10f382

        SHA1

        ccd048d62054a821b238ea6adb7fecf82be77d98

        SHA256

        78e2254dc12d05a92f7c7ba61c926603f3ad40f4796fbff3f8e60b21010b7565

        SHA512

        af734978f8dc4b186a0a014ab754c602a6d23ecea752bc50aa6c86c21bffe2fa2ae3dcaf945ad845ea2cd986c221279f3471c015f48b21c44fb54203d5af0cda

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\59gvihh\imagestore.dat
        Filesize

        478B

        MD5

        14051d35c19031beed8f9c632e10f382

        SHA1

        ccd048d62054a821b238ea6adb7fecf82be77d98

        SHA256

        78e2254dc12d05a92f7c7ba61c926603f3ad40f4796fbff3f8e60b21010b7565

        SHA512

        af734978f8dc4b186a0a014ab754c602a6d23ecea752bc50aa6c86c21bffe2fa2ae3dcaf945ad845ea2cd986c221279f3471c015f48b21c44fb54203d5af0cda

        Download Submit
      • memory/2264-130-0x00000000005D0000-0x00000000005DE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2264-132-0x00000000005D0000-0x0000000001890000-memory.dmp
        Filesize

        18.8MB

        Download
      • memory/2264-133-0x0000000003A50000-0x0000000003A5F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/2264-139-0x00000000005D0000-0x0000000001890000-memory.dmp
        Filesize

        18.8MB

        Download