gozi | 12d88935437064d8478bc4adec0c0042fb73da774905004c7de55e559729e15c

Analysis

max time kernel
150s
max time network
181s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 10:05

Target

eee617806c18710e8635615de6297834.dll
Size

170KB
MD5

eee617806c18710e8635615de6297834
SHA1

a629961de369fac6e25b2846bc06df4997a47669
SHA256

12d88935437064d8478bc4adec0c0042fb73da774905004c7de55e559729e15c
SHA512

93c9faa68616b9fa6141997f93f93279dbd62cf4e0518c37b0692352661c982a7bc5b698bed732ae35e29c56e5edd6c18a5dc48791d8103efae3d849d1db41bf
SSDEEP

3072:Efo9DTdl4eZKj0zdq0cAE0I4Cg/RWxZ0PD1C5G6z7bP1V621u4W:pZBlVZgodTcLt4Cg/Rr1alz7bPv62wx

Score

10^/10

Family

gozi

Botnet

202206061

https://gigimas.xyz

https://reaso.xyz

Attributes

aes.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1928 wrote to memory of 1320	1928	regsvr32.exe	cmd.exe
PID 1928 wrote to memory of 1320	1928	regsvr32.exe	cmd.exe
PID 1928 wrote to memory of 1320	1928	regsvr32.exe	cmd.exe
PID 1928 wrote to memory of 1508	1928	regsvr32.exe	cmd.exe
PID 1928 wrote to memory of 1508	1928	regsvr32.exe	cmd.exe
PID 1928 wrote to memory of 1508	1928	regsvr32.exe	cmd.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\eee617806c18710e8635615de6297834.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\cmd.exe
cmd /c "echo Commands" >> C:\Users\Admin\AppData\Local\Temp\993C.tmp
2⤵
PID:1320

C:\Windows\system32\cmd.exe
cmd /c "dir" >> C:\Users\Admin\AppData\Local\Temp\993C.tmp
2⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\993C.tmp
Filesize
11B

MD5
a67f2061c697fd95f6b28d89b953a51f

SHA1
6730b864104f0840fcebf04383d2e3ef7c324a48

SHA256
d4bdd82a900fea52cbd442ce8cae201982392d3533d765bfceb7682bc2d16a79

SHA512
d9cc7c1593967dbcaf358bc9d394426d97baa7bb6ddeed1767b638c85aa814276eaa3609588b720cab3b2a0b3e36d1d3833dab3e75c9c1a92b8315db61a64cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\993C.tmp
Filesize
3KB

MD5
3a9e506f9de3f9cb19d42164269e3e10

SHA1
6099c72222b9fd924e3c8946d5ade0189be6dbac

SHA256
e12ba0b1ea195883b7ca7fa40080ae9ca752eef79af3d84e096b61ee2a6cc755

SHA512
48b00c1b92de5854e605a154f1a242661a3b5b44450c2de3527c89a1c6750896e75f322f2ed87fafc49e73033866ddaaf6b2af71e99c9375d90b133af33810df

Download Submit
memory/1320-58-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1928-57-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download