gozi | b59430d733e346aef69dc5992cee0f06d8dbfca7744d212159528c89d1008953

Resubmissions

03-08-2023 23:45

230803-3rv8asge64 10

04-08-2022 12:43

220804-px1s3sfhfn 1

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59430d733e346aef69dc5992cee0f06d8dbfca7744d212159528c89d1008953.dll
Size

297KB
MD5

d38f6f01bb926df07d34de0649f608f6
SHA1

8a3bd09ea156ede59f527af01412e66181b6d74c
SHA256

b59430d733e346aef69dc5992cee0f06d8dbfca7744d212159528c89d1008953
SHA512

73c575e5aa7963ca3d3c8cd2b08c83178030ed3248c215ec766628fad02ece83bb76bf3da613f4591485bf7610e9422eefa3ddbbb53885021338976087395903
SSDEEP

3072:nt83jOM22CvPJZ7cV0DrIKFXx3LKnyeLt/yX0mUGLN4eS2HH9sQ0yMLDPt+d80Ub:MjQJNcV1YpLKjpyNUGB4SO0JmNx

Score

10^/10

gozi 202206061 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Botnet

202206061

https://astope.xyz

https://giantos.xyz

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2584 wrote to memory of 1960	2584	regsvr32.exe	cmd.exe
PID 2584 wrote to memory of 1960	2584	regsvr32.exe	cmd.exe
PID 2584 wrote to memory of 1960	2584	regsvr32.exe	cmd.exe
PID 2584 wrote to memory of 2460	2584	regsvr32.exe	cmd.exe
PID 2584 wrote to memory of 2460	2584	regsvr32.exe	cmd.exe
PID 2584 wrote to memory of 2460	2584	regsvr32.exe	cmd.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b59430d733e346aef69dc5992cee0f06d8dbfca7744d212159528c89d1008953.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\cmd.exe
cmd /c "echo Commands" >> C:\Users\Admin\AppData\Local\Temp\16E4.tmp
2⤵
PID:1960

C:\Windows\system32\cmd.exe
cmd /c "dir" >> C:\Users\Admin\AppData\Local\Temp\16E4.tmp
2⤵
PID:2460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16df13cf5eb2da39220777a6a2ece356

SHA1
c516ee8181e50ad05f2ed4a514f93ba9833b50c5

SHA256
3d8d47022863c35ee7c7f7084b01ef8e8afdb65faa1b6c8e8a14d8d6bc53f1a9

SHA512
38e443f77ea60881ac92bdf565333f6b2c322aa8b7de82fa6434515fb23ba6b715cf4977d7a8002e6950aa5c4a9496252e913721c8059e79a172bc773634b23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\16E4.tmp
Filesize
3KB

MD5
7e98493677f05cd54f0305c21ebb5088

SHA1
d3c9c11b70335013286b0acfb412d08158741aee

SHA256
03b7658e23304cb11fad3e3ce832940a27de33249965b8ecc38fabc53738b1c2

SHA512
4451b3dd4edf522da469c5c6908b142947295972c549f897d19b3e95d9ed1dc281932278d4f966578c4a27dfc175527d3dbc4584ddf5184a153ccba6d6fa6356

Download Submit
C:\Users\Admin\AppData\Local\Temp\16E4.tmp
Filesize
3KB

MD5
7e98493677f05cd54f0305c21ebb5088

SHA1
d3c9c11b70335013286b0acfb412d08158741aee

SHA256
03b7658e23304cb11fad3e3ce832940a27de33249965b8ecc38fabc53738b1c2

SHA512
4451b3dd4edf522da469c5c6908b142947295972c549f897d19b3e95d9ed1dc281932278d4f966578c4a27dfc175527d3dbc4584ddf5184a153ccba6d6fa6356

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA71A.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8B3.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2584-58-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download
memory/2584-53-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download