Overview

overview

10

Static

static

3472bce1e2...04.dll

windows7-x64

10

3472bce1e2...04.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll

  • Size

    1.1MB

  • MD5

    9ebb3e24459bd86f749f01523fae652d

  • SHA1

    cc8d16513038fb2b43798571f5c2591ee91f097e

  • SHA256

    3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404

  • SHA512

    f013bbad5bc4ee88a83dd98421d22ad58d55fa03cef4833471867daaf0059716c2feca4909530f0829c2f7c180d2524ef5053567f146724426049473660ff677

  • SSDEEP

    24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69wTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4z

Score
10/10
gozi1000bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at
Attributes
  • build

    217107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3436
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll,#1
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\system32\control.exe
          C:\Windows\system32\control.exe /?
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:688
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
            4⤵
              PID:2028
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4696
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3636
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2056
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1444.bi1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1372
              • C:\Windows\system32\nslookup.exe
                nslookup myip.opendns.com resolver1.opendns.com
                3⤵
                  PID:3768
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1444.bi1"
                2⤵
                  PID:1948
                • C:\Windows\syswow64\cmd.exe
                  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                  2⤵
                    PID:4300

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1444.bi1
                  Filesize

                  118B

                  MD5

                  4f6429322fdfd711b81d8824b25fcd9c

                  SHA1

                  f7f917b64dd43b620bacd21f134d430d3c406aec

                  SHA256

                  d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

                  SHA512

                  e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\1444.bi1
                  Filesize

                  118B

                  MD5

                  4f6429322fdfd711b81d8824b25fcd9c

                  SHA1

                  f7f917b64dd43b620bacd21f134d430d3c406aec

                  SHA256

                  d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

                  SHA512

                  e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Browscli\Compound.dll
                  Filesize

                  1.1MB

                  MD5

                  9ebb3e24459bd86f749f01523fae652d

                  SHA1

                  cc8d16513038fb2b43798571f5c2591ee91f097e

                  SHA256

                  3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404

                  SHA512

                  f013bbad5bc4ee88a83dd98421d22ad58d55fa03cef4833471867daaf0059716c2feca4909530f0829c2f7c180d2524ef5053567f146724426049473660ff677

                  Download Submit
                • memory/688-143-0x0000000000000000-mapping.dmp
                  Download
                • memory/688-147-0x0000000000C40000-0x0000000000CF4000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/1372-153-0x0000000000000000-mapping.dmp
                  Download
                • memory/1948-155-0x0000000000000000-mapping.dmp
                  Download
                • memory/2028-148-0x00000227114A0000-0x0000022711554000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/2028-146-0x0000000000000000-mapping.dmp
                  Download
                • memory/2056-162-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-161-0x0000000002460000-0x0000000002470000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-149-0x0000000002D00000-0x0000000002DB4000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/2056-169-0x00000000023A0000-0x00000000023B0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-168-0x0000000002460000-0x0000000002470000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-167-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-166-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-165-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-164-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2056-163-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3436-150-0x0000026112A90000-0x0000026112B44000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/3636-151-0x000001FFD7CC0000-0x000001FFD7D74000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/3768-154-0x0000000000000000-mapping.dmp
                  Download
                • memory/4300-158-0x0000000000000000-mapping.dmp
                  Download
                • memory/4300-160-0x0000000000F30000-0x0000000000FD7000-memory.dmp
                  Filesize

                  668KB

                  Download
                • memory/4300-159-0x0000000000EE6B20-0x0000000000EE6B24-memory.dmp
                  Filesize

                  4B

                  Download
                • memory/4696-152-0x000001E3D7080000-0x000001E3D7134000-memory.dmp
                  Filesize

                  720KB

                  Download
                • memory/4896-132-0x0000000000000000-mapping.dmp
                  Download
                • memory/4896-144-0x0000000010000000-0x0000000010A16000-memory.dmp
                  Filesize

                  10.1MB

                  Download
                • memory/4896-133-0x0000000010000000-0x000000001004D000-memory.dmp
                  Filesize

                  308KB

                  Download
                • memory/4896-134-0x0000000010000000-0x0000000010A16000-memory.dmp
                  Filesize

                  10.1MB

                  Download
                • memory/4896-135-0x0000000010000000-0x0000000010A16000-memory.dmp
                  Filesize

                  10.1MB

                  Download
                • memory/4896-136-0x0000000002A30000-0x0000000002A7B000-memory.dmp
                  Filesize

                  300KB

                  Download