Analysis

  • max time kernel
    151s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2023, 07:21

General

  • Target

    server.exe

  • Size

    360KB

  • MD5

    99c144042b4cdea7181c4e082f7172c8

  • SHA1

    bcd5d80fd23caf9a5878218001e7c20d6c2060be

  • SHA256

    847b4ccd103040ed44a16bba6610627107821eedc8df816782c1d095d44100d5

  • SHA512

    9efa74c0ca3a51643a36405d3fe4d83a5d40f07515e487a833d1fd462af74913c2bc0b9baca70d93ec4840852c28b91758f55496d853923e1f31772544a28d60

  • SSDEEP

    3072:+VRilm8dar4jb9ZRhkNfAcLo04JyVnlT8M43xqwcnUi6JIUjixCUgwn0F:8RiD2OQVlTa3xB0UK

Malware Config

Extracted

Family

gozi

Botnet

7715

C2

checklist.skype.com

62.173.142.50

31.41.44.87

109.248.11.217

212.109.218.151

5.44.45.83

62.173.142.81

193.233.175.113

109.248.11.184

212.109.218.26

185.68.93.7

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

Processes

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    1⤵
      PID:1568

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1568-55-0x0000000000220000-0x000000000022B000-memory.dmp

            Filesize

            44KB

          • memory/1568-56-0x00000000002C0000-0x00000000002CD000-memory.dmp

            Filesize

            52KB

          • memory/1568-59-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB