Overview

overview

10

Static

static

1

test.dll

windows7-x64

10

test.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2023 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.dll

  • Size

    1.4MB

  • MD5

    04c9f5abf862f834e68abf9f88e64013

  • SHA1

    b578bae2483d4a5e0ac83aa6fcafaa3ff415468b

  • SHA256

    d2b41392e12bfdf13e131ba3db02e5f21851a98df243403995b182ee15a1992c

  • SHA512

    b05529f262cad69cd8bcfcd793fa644d74bf7be23423180fa418ca11428918a264ed7e615d255086e69ada85efc3b2e41719d2ce09962356b9ad0737820e7f60

  • SSDEEP

    12288:EfJ2dpC+/doJSnFlxGIDWv5EghEug86SbJqLb47v:aUCudoJsxGIDWv5N0OELb4

Score
10/10
gozi1000bankerldr4trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

https://merrovalt.top

Attributes
  • host_keep_time

    2

  • host_shift_time

    1

  • idle_time

    1

  • request_time

    10

aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\test.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\system32\cmd.exe
      cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\A3C.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\system32\net.exe
        net group "domain computers" /domain
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 group "domain computers" /domain
          4⤵
            PID:2008

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\A3C.tmp
      Filesize

      78B

      MD5

      aaec14b2de8e2fdaf8427672122af65c

      SHA1

      ca953efad669c93af85b968d747baa544d4465fb

      SHA256

      14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

      SHA512

      a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

      Download Submit
    • memory/380-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-65-0x0000000000000000-mapping.dmp
      Download
    • memory/2008-66-0x0000000000000000-mapping.dmp
      Download
    • memory/2036-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-55-0x0000000180000000-0x0000000180014000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2036-59-0x00000000002F0000-0x0000000000303000-memory.dmp
      Filesize

      76KB

      Download