Overview

overview

10

Static

static

2208c35df3...45.dll

windows7-x64

10

2208c35df3...45.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll

  • Size

    1.1MB

  • MD5

    6b4640270bfa9629a0d6eba806873cc5

  • SHA1

    8a8304f960b8e5c6f6e779d9b686d7faddddb764

  • SHA256

    2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345

  • SHA512

    6ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805

  • SSDEEP

    24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69tTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4+

Score
10/10
gozi1000bankerisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at
Attributes
  • build

    217107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\system32\control.exe
          C:\Windows\system32\control.exe /?
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
            5⤵
              PID:2056
      • C:\Windows\system32\cmd.exe
        cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3E17.bi1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\system32\nslookup.exe
          nslookup myip.opendns.com resolver1.opendns.com
          3⤵
            PID:4648
        • C:\Windows\system32\cmd.exe
          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3E17.bi1"
          2⤵
            PID:3700
          • C:\Windows\syswow64\cmd.exe
            "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
            2⤵
              PID:3020
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3392
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3644

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\3E17.bi1
              Filesize

              107B

              MD5

              82f12896705faeb1630b62f16d5f5cc8

              SHA1

              9ed376a84dd777c28d4510cd747da4fbbc2ff63b

              SHA256

              caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e

              SHA512

              e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\3E17.bi1
              Filesize

              118B

              MD5

              41a49d1a2a3a8713a12ccf89932d4bb7

              SHA1

              b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

              SHA256

              f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

              SHA512

              1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\C_IStprf\bthsprop.dll
              Filesize

              1.1MB

              MD5

              6b4640270bfa9629a0d6eba806873cc5

              SHA1

              8a8304f960b8e5c6f6e779d9b686d7faddddb764

              SHA256

              2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345

              SHA512

              6ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805

              Download Submit
            • memory/2056-148-0x0000023D7C450000-0x0000023D7C504000-memory.dmp
              Filesize

              720KB

              Download
            • memory/2056-147-0x0000000000000000-mapping.dmp
              Download
            • memory/2320-153-0x0000000000000000-mapping.dmp
              Download
            • memory/3008-150-0x0000000002730000-0x00000000027E4000-memory.dmp
              Filesize

              720KB

              Download
            • memory/3020-160-0x00000000017E0000-0x0000000001887000-memory.dmp
              Filesize

              668KB

              Download
            • memory/3020-159-0x0000000000046B20-0x0000000000046B24-memory.dmp
              Filesize

              4B

              Download
            • memory/3020-158-0x0000000000000000-mapping.dmp
              Download
            • memory/3376-134-0x0000000010000000-0x0000000010A16000-memory.dmp
              Filesize

              10.1MB

              Download
            • memory/3376-135-0x0000000010000000-0x0000000010A16000-memory.dmp
              Filesize

              10.1MB

              Download
            • memory/3376-132-0x0000000000000000-mapping.dmp
              Download
            • memory/3376-144-0x0000000010000000-0x0000000010A16000-memory.dmp
              Filesize

              10.1MB

              Download
            • memory/3376-133-0x0000000010000000-0x000000001004D000-memory.dmp
              Filesize

              308KB

              Download
            • memory/3376-136-0x0000000002550000-0x000000000259B000-memory.dmp
              Filesize

              300KB

              Download
            • memory/3392-151-0x0000019522100000-0x00000195221B4000-memory.dmp
              Filesize

              720KB

              Download
            • memory/3644-152-0x0000013FEE930000-0x0000013FEE9E4000-memory.dmp
              Filesize

              720KB

              Download
            • memory/3700-155-0x0000000000000000-mapping.dmp
              Download
            • memory/4648-154-0x0000000000000000-mapping.dmp
              Download
            • memory/5072-149-0x0000000000510000-0x00000000005C4000-memory.dmp
              Filesize

              720KB

              Download
            • memory/5072-143-0x0000000000000000-mapping.dmp
              Download
            • memory/5072-145-0x0000000000510000-0x00000000005C4000-memory.dmp
              Filesize

              720KB

              Download