Overview

overview

10

Static

static

b3b8433b83...fb.exe

windows7-x64

10

b3b8433b83...fb.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3b8433b8322d3884a24aa66d423bb386bd2d26edc86f09f5409a7a30b52bcfb.exe

  • Size

    296KB

  • MD5

    0f4a3710b28ebbf430bc765f9b9e9740

  • SHA1

    362460f5f63c8cf844dc089454f72cb974046c07

  • SHA256

    b3b8433b8322d3884a24aa66d423bb386bd2d26edc86f09f5409a7a30b52bcfb

  • SHA512

    fdfa471259ecb69f64b749b485e9cb9d2be2227113117dc19facce9daba4f86f19dbe34fa36379e89ecc0ddaf42aaa69a275c15d78b50b6a80777001e4b4839c

  • SSDEEP

    6144:BSu1zvPvYDyLpj5weLCVrk0WRm/wpnN5Oie6xjMPt9eZiC3:gu1znL8k0WdNre6h+t9k

Score
10/10
gozi1099bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1099

C2

fkklqkjgnr.com

sinpotikos.com

bnkalirmf.com
Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3b8433b8322d3884a24aa66d423bb386bd2d26edc86f09f5409a7a30b52bcfb.exe
    "C:\Users\Admin\AppData\Local\Temp\b3b8433b8322d3884a24aa66d423bb386bd2d26edc86f09f5409a7a30b52bcfb.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1924
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\381F.bat" "C:\Users\Admin\AppData\Local\Temp\B3B843~1.EXE""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\B3B843~1.EXE"
        3⤵
        • Views/modifies file attributes
        PID:1768

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\381F.bat
    Filesize

    72B

    MD5

    06cb28d678c5f24c16e1c9cb1e92b337

    SHA1

    399ecc84dd035983c41a65a9106f9f87b080d314

    SHA256

    820846ce52b38cf76a480a649224f6b3f35b50845273035f8de7ce793554d8cf

    SHA512

    da137bf0d242e64a74ca0954fbec0addf57febfa3970a0826e3c1362a1f9338decadc6048d101c3226872265cc60a318ae1e95d01b3f3e0f41235dea04496126

    Download Submit

  • memory/740-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/740-55-0x0000000000400000-0x0000000000670000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/740-56-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

    Download

  • memory/740-57-0x0000000000300000-0x0000000000303000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1924-59-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1924-61-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download