gozi | 63827113192d02e81371453ef61c3882b1f0abca89459ea78d6baa31bc2fe83d

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

617.3MB
MD5

66bd2a1dd8540c9d7281d1e36cee0c1b
SHA1

7407f62b80f1ce48f4a9500e82a6370faf689025
SHA256

63827113192d02e81371453ef61c3882b1f0abca89459ea78d6baa31bc2fe83d
SHA512

feb5ea41e05d59568115c8fef6fde731d030eb056c9e033a354e8c53a009bb65db86d9cdff6ae3bf5ea6938ed90fab233e0716f604cf2f366fae0e3848730db0
SSDEEP

12288:6pWvULtx0eFQ4+zoL/sB14b/FmQxXXzb9wZptR4b9wZptRUyoIOJ:6pTx5FQ5oL/sB1cFm8X9yi9ygP

Score

10^/10

gozi 555756 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

555756

http://logonn.biinng.com

http://78.153.130.9

http://llogiin.biinng.com

http://45.15.157.239

Attributes

base_path
/zerotohero/
build
250257
exe_type
loader
extension
.asi
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 1144	1300	1.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28
PID 1300 wrote to memory of 1144	1300	1.exe	28

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-92-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-91-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-90-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1144-85-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-80-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-81-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-82-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1144-84-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1300-61-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-65-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-79-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-77-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-71-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-73-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-69-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-75-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-67-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-54-0x00000000012F0000-0x0000000001538000-memory.dmp

Filesize
2.3MB

Download
memory/1300-63-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-59-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-57-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-56-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/1300-55-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads