Overview

overview

10

Static

static

1

b334e0d09c...8f.vbs

windows7-x64

10

b334e0d09c...8f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2023, 20:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs

  • Size

    847KB

  • MD5

    2368e9e529ee85a9c57efae72ee32a63

  • SHA1

    6c9c1510ca27b115323ff2c11f004fbcb7bf03f8

  • SHA256

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f

  • SHA512

    a9146dfcf5b0fbe3491898257373c526dfba2b782e45e911b7490a661eed295081c6858eeb7b574f9dfa23b6ede7ba17f2e78e53b3c5613dc07c19d5c89e0c60

  • SSDEEP

    6144:DSI4WZ5LeyWnPuoWD8TgkcObHofZMMKzqXCFdlXYkq8xM2dC0tk2+NEImlKiYebD:D/4r

Score
10/10
gozi2000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217112

Extracted

Family

gozi

Botnet

2000

C2

ad1.wensa.at/api1

nort.calag.at/api1
Attributes
  • build

    217112

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    193.183.98.66

    51.15.98.97

    94.247.43.254

    195.10.195.195

    8.8.8.8

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9494.dll",DllRegisterServer
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9494.dll",DllRegisterServer
        3⤵
        • Loads dropped DLL
        PID:2068
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:268
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1992
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2392
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          e56ec378251cd65923ad88c1e14d0b6e

          SHA1

          7f5d986e0a34dd81487f6439fb0446ffa52a712e

          SHA256

          32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

          SHA512

          2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1a379bb7c95fc0076bdead7d4de4de5a

          SHA1

          efeb5f98322f87e12b81ed780b9329c2f101d0e6

          SHA256

          001d60a1f5d351b5dda172f4a8b7a106a7d3ac3a426f379594b176eb372a1953

          SHA512

          870f335a53d0425e31151fdb21fe1f44ff97dfd27561187586a7d89e94c0ee70fd65bcc0d58fc1f906e753e840dd4a6397f46852d80b23e045cbca603db724e6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d86496f99aff7beff9b5afaaf76f50f4

          SHA1

          aca62bbbb8d9add1a695624607833d8e5c157340

          SHA256

          2862b79b5ac80ce4929f5413d03199d341cc495044ad5040c08d89bfcbb3973c

          SHA512

          f3792c0f858b262ada7b87aed4cc06ac700798e03958a4a619120014afd9f8d20421ba36f0e17852fb9124b5242daf803036b5e1d1fed21ebbb07dae0f4323a9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          8d700643159f3e203c672ac0dad7c9e0

          SHA1

          0b7325aab4175a54370bd5fc5a459df998e3c916

          SHA256

          f6da4617907648d9c1adb06599eb16e5c82a696fecd4c5b4b5bdc44a8918ab0b

          SHA512

          cb75cfb818d0744a0bd6e3352c97626b3e621c679509779b7695f131f9906db3c80db37e0b995d92eea343448b06cd75a8d5b198b54acff9d38e88bfa93d5ed4

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          96f4a84f0b0d027b003ea03639dd07a6

          SHA1

          d2b4960895f3eb7b274d91fc716fa9b7cb70f0d7

          SHA256

          80d6ac1e12a5ae0f049edb78e23e7c12f2a862015ab2eeeff2835f25a889c229

          SHA512

          40e2d6432099a56c90089437d36d3972fbbd2294be3c68ca2b40fab43682b1d102708d7e9912ff04afb08d580c37c1568f72efb2bdcdc290bcb8314159becd0a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9381a0839ce3013fe23fd7ae1721ce34

          SHA1

          cdf3ef5f6cb213286d8356b5dd3036781824b31a

          SHA256

          afcb87e8874faac1324189c48ba990120da5f534b04cf49c18c67ab265ca2b1d

          SHA512

          d7c412dd6289aba643d643abfae81ef38c3069ac67aabd63ce423f1cabd010eec074e083d906d969971edfcd05adc909b5269d743175f318c0ea3196b8c193a8

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          8bcdf1d07968bec5acbcfcb1843e53c5

          SHA1

          7282575eda898957d61d3107d1dc917e12f52a3f

          SHA256

          e16038167e1f4e01798bb688b628ed953effd4071789499c84fdc8c26ab48087

          SHA512

          e9623fdaa432e16db88b08d54875e6717ebb489c7cf506090962e9a27ec83ab6c37b455139485befd48223216790c470dce36242cd6b83490942786184db6405

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          fa3d9c14595aadfde26c1ce831f1489c

          SHA1

          6e681e20fe2c172159f4bed5ffd67581e7e7db6f

          SHA256

          a6c250d302da571d24f30d900e43dae34285ed00082d3c42f6f393466f746f1b

          SHA512

          25d138d87e117be0515af35478432d3a12f11983755eb37b5d69d88e894de5822f300815e005ce6698622f8417e468b0af501cbf9501896da6a50f4bfcb2a16c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ab185a675bf5056cb18bd0f422f2c24b

          SHA1

          090316ef0127fe80271079159de241b953851fb9

          SHA256

          adfd5be9dc1c3c085021fc5360f1a173cd92a510118ec2424d14695fc1a2eeb9

          SHA512

          85ee5f8060a2e07f325573a42143eae9de7ead850da54886bbcafd221fd7a38b75f79e1529998f0645af67ff23068962a529b0ee23d2fc23a1e10262c6f4bccc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab61C1.tmp
          Filesize

          62KB

          MD5

          3ac860860707baaf32469fa7cc7c0192

          SHA1

          c33c2acdaba0e6fa41fd2f00f186804722477639

          SHA256

          d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

          SHA512

          d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar63AD.tmp
          Filesize

          163KB

          MD5

          19399ab248018076e27957e772bcfbab

          SHA1

          faef897e02d9501146beb49f75da1caf12967b88

          SHA256

          326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

          SHA512

          6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~DF06347FB5422F9FC7.TMP
          Filesize

          16KB

          MD5

          3c5ee756ae59d7fe7c7eadfd16ecd85e

          SHA1

          b28028310019e310673cb1deb024332a5dfc60d0

          SHA256

          092263ada3559cd6a3a9f91d6e6fb258ffb9a7d308c9a9e494d6ca57ab1343b7

          SHA512

          5fbb4ada4179fc8808a318e150c7c130f0ba88d38194dec0524a56edcab3d3898f8876738f9c43b06b96f9d35d70e13ca1a5c43db25472b231849c5de25ef1ed

          Download Submit

        • C:\Users\Admin\Music\9494.dll
          Filesize

          196KB

          MD5

          4c555814801a7954f68654d1b9c4a958

          SHA1

          56e2491318b0988318aee9843c6faea7c08111c5

          SHA256

          3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

          SHA512

          56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

          Download Submit

        • \Users\Admin\Music\9494.dll
          Filesize

          196KB

          MD5

          4c555814801a7954f68654d1b9c4a958

          SHA1

          56e2491318b0988318aee9843c6faea7c08111c5

          SHA256

          3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

          SHA512

          56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

          Download Submit

        • \Users\Admin\Music\9494.dll
          Filesize

          196KB

          MD5

          4c555814801a7954f68654d1b9c4a958

          SHA1

          56e2491318b0988318aee9843c6faea7c08111c5

          SHA256

          3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

          SHA512

          56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

          Download Submit

        • \Users\Admin\Music\9494.dll
          Filesize

          196KB

          MD5

          4c555814801a7954f68654d1b9c4a958

          SHA1

          56e2491318b0988318aee9843c6faea7c08111c5

          SHA256

          3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

          SHA512

          56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

          Download Submit

        • \Users\Admin\Music\9494.dll
          Filesize

          196KB

          MD5

          4c555814801a7954f68654d1b9c4a958

          SHA1

          56e2491318b0988318aee9843c6faea7c08111c5

          SHA256

          3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

          SHA512

          56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

          Download Submit

        • memory/2068-10-0x00000000000C0000-0x00000000000C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2068-9-0x00000000001A0000-0x00000000001E9000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2068-6-0x00000000001A0000-0x00000000001E9000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2068-15-0x00000000000C0000-0x00000000000C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2068-8-0x00000000001A0000-0x00000000001E9000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2068-11-0x00000000001F0000-0x0000000000202000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2068-16-0x00000000002F0000-0x00000000002F2000-memory.dmp

          Filesize

          8KB

          Download