gozi | d3330f975232e5c1732cd1cfd2b64b631b16ae6cfd5ad3357e683989af54bbd2

Analysis

max time kernel
595s
max time network
602s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-02-2023 00:48

Target

C566B292EB539CF6D1F1D867D4F4972F9D2BC887DF68BAA25A36B5073AE470AD.dll
Size

335.1MB
MD5

9a5c17e5ffd7716dbe9425513f24f9f3
SHA1

4f96536ff5c9904593fd59df06452bc3b85ff8bd
SHA256

c566b292eb539cf6d1f1d867d4f4972f9d2bc887df68baa25a36b5073ae470ad
SHA512

4e79c9135714a19fc34ba696c7401eecb4505d2b709176a94562d1a36b2da3b18f9048658d9ae4d013292528493b370caa43dd215058cd96fd520b54e7b08b4f
SSDEEP

12288:EfJ2dpC+/doJSnFlxGIDWv5EghEug86SbJqLb47v0:aUCudoJsxGIDWv5N0OELb4I

Score

10^/10

Family

gozi

Family

gozi

Botnet

1000

https://merrovalt.top

Attributes

aes.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Runs net.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

regsvr32.execmd.exenet.exe

description	pid	process	target process
PID 1724 wrote to memory of 780	1724	regsvr32.exe	cmd.exe
PID 1724 wrote to memory of 780	1724	regsvr32.exe	cmd.exe
PID 1724 wrote to memory of 780	1724	regsvr32.exe	cmd.exe
PID 780 wrote to memory of 1632	780	cmd.exe	net.exe
PID 780 wrote to memory of 1632	780	cmd.exe	net.exe
PID 780 wrote to memory of 1632	780	cmd.exe	net.exe
PID 1632 wrote to memory of 568	1632	net.exe	net1.exe
PID 1632 wrote to memory of 568	1632	net.exe	net1.exe
PID 1632 wrote to memory of 568	1632	net.exe	net1.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C566B292EB539CF6D1F1D867D4F4972F9D2BC887DF68BAA25A36B5073AE470AD.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\D218.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\net.exe
net group "domain computers" /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
4⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\D218.tmp
Filesize
78B

MD5
aaec14b2de8e2fdaf8427672122af65c

SHA1
ca953efad669c93af85b968d747baa544d4465fb

SHA256
14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

SHA512
a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

Download Submit
memory/568-66-0x0000000000000000-mapping.dmp

Download
memory/780-64-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1724-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1724-55-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/1724-59-0x00000000002E0000-0x00000000002F3000-memory.dmp

Filesize
76KB

Download