Analysis

  • max time kernel
    432s
  • max time network
    436s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2022 00:02

General

  • Target

    25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe

  • Size

    676KB

  • MD5

    644c7a78a572d45d8af45d94e6a57e40

  • SHA1

    0b3e29129dc20a87a166ade006bf8f1cbd9b8300

  • SHA256

    25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061

  • SHA512

    7dfbe61d11077a254d13d869b888c22d2e02b82c6ae8d75f04f7683d5eca7aecc8e00de740e094f197ae2f1ebd6319c3c162dc1e1e9c20ec36f7a2bddab3ce33

  • SSDEEP

    12288:Zv75bu3S23LN8wa7yelFRNuQ7TdC1ryYrKTP5uSZPnMll:J75E732wujXbzFZil

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2002

C2

test1.ru

Attributes
  • build

    216843

  • dga_base_url

    opensource.apple.com/source/Security/Security-29/SecureTransport/LICENSE.txt?txt

  • dga_crc

    0x6f0b167a

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe
    "C:\Users\Admin\AppData\Local\Temp\25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe"
    1⤵
    • Checks BIOS information in registry
    PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

  • memory/1256-55-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/1256-56-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB