Overview

overview

10

Static

static

test2.dll

windows7-x64

10

test2.dll

windows10-2004-x64

10

Resubmissions

27-10-2022 16:06

221027-tj656acfg7 10

25-08-2022 16:02

220825-tg4bgsgbe7 1

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2022 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test2.dll

  • Size

    417KB

  • MD5

    bea60bab50d47f239132890a343ae84c

  • SHA1

    370ebd02e9284576d28ed8a114b767a2bd0d14fd

  • SHA256

    74b57e264dd84cbb7c4e1a7eb8a8dbdb932f01ac34e48e2e6d41ab82f05c682f

  • SHA512

    6b67946fa066139caafc6bac1bbdcf8c0e2d067194dca06cf93a54f6d6ad3f2620e1f27adf06e510f5dbeda0660576a3914164b1213a441da27af36267ed082a

  • SSDEEP

    6144:BkakVZKK4DiSqU2fEIj45A1Wkn6KLm1fEdkAdpqAeOhU1PQZukC3j+CH0sAW:XkXUCLcIj4S15RSJEdBdpYKUtQZu5zb

Score
10/10
gozi202208151bankerldr4trojan

Malware Config

Extracted

Family

gozi

Botnet

202208151

C2

https://logotep.xyz

https://vavilgo.xyz
Attributes
  • host_keep_time

    2

  • host_shift_time

    1

  • idle_time

    1

  • request_time

    10

aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\test2.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\system32\cmd.exe
      cmd /c "echo Commands" >> C:\Users\Admin\AppData\Local\Temp\926C.tmp
      2⤵
        PID:1628
      • C:\Windows\system32\cmd.exe
        cmd /c "dir" >> C:\Users\Admin\AppData\Local\Temp\926C.tmp
        2⤵
          PID:1680

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\926C.tmp
        Filesize

        3KB

        MD5

        492a16862d42fed1f84700b0088f15da

        SHA1

        abc8da3029e77e4e5807412d465393d935759498

        SHA256

        df473a66ee701b61eef96f8e3c4fae28493eb0cd31b2fa08b91a21232a042764

        SHA512

        ec278cf1faaee1619c3153e1209d2197450a906f024ca8fd982195736ffe611748ea8687941dca94bf604f5e062ebf112b8df7bfbc89f26a352a1fec82235b08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\926C.tmp
        Filesize

        3KB

        MD5

        492a16862d42fed1f84700b0088f15da

        SHA1

        abc8da3029e77e4e5807412d465393d935759498

        SHA256

        df473a66ee701b61eef96f8e3c4fae28493eb0cd31b2fa08b91a21232a042764

        SHA512

        ec278cf1faaee1619c3153e1209d2197450a906f024ca8fd982195736ffe611748ea8687941dca94bf604f5e062ebf112b8df7bfbc89f26a352a1fec82235b08

        Download Submit

      • memory/1628-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1680-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1948-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1948-55-0x0000000180000000-0x0000000180013000-memory.dmp

        Filesize

        76KB

        Download