Overview

overview

10

Static

static

1

b334e0d09c...8f.vbs

windows7-x64

10

b334e0d09c...8f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2023 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs

  • Size

    847KB

  • MD5

    2368e9e529ee85a9c57efae72ee32a63

  • SHA1

    6c9c1510ca27b115323ff2c11f004fbcb7bf03f8

  • SHA256

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f

  • SHA512

    a9146dfcf5b0fbe3491898257373c526dfba2b782e45e911b7490a661eed295081c6858eeb7b574f9dfa23b6ede7ba17f2e78e53b3c5613dc07c19d5c89e0c60

  • SSDEEP

    6144:DSI4WZ5LeyWnPuoWD8TgkcObHofZMMKzqXCFdlXYkq8xM2dC0tk2+NEImlKiYebD:D/4r

Score
10/10
gozi2000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217112

Extracted

Family

gozi

Botnet

2000

C2

ad1.wensa.at/api1

nort.calag.at/api1
Attributes
  • build

    217112

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    193.183.98.66

    51.15.98.97

    94.247.43.254

    195.10.195.195

    8.8.8.8

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9494.dll",DllRegisterServer
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9494.dll",DllRegisterServer
        3⤵
        • Loads dropped DLL
        PID:2068
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:268
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1992
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2392
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e56ec378251cd65923ad88c1e14d0b6e

    SHA1

    7f5d986e0a34dd81487f6439fb0446ffa52a712e

    SHA256

    32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

    SHA512

    2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1a379bb7c95fc0076bdead7d4de4de5a

    SHA1

    efeb5f98322f87e12b81ed780b9329c2f101d0e6

    SHA256

    001d60a1f5d351b5dda172f4a8b7a106a7d3ac3a426f379594b176eb372a1953

    SHA512

    870f335a53d0425e31151fdb21fe1f44ff97dfd27561187586a7d89e94c0ee70fd65bcc0d58fc1f906e753e840dd4a6397f46852d80b23e045cbca603db724e6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d86496f99aff7beff9b5afaaf76f50f4

    SHA1

    aca62bbbb8d9add1a695624607833d8e5c157340

    SHA256

    2862b79b5ac80ce4929f5413d03199d341cc495044ad5040c08d89bfcbb3973c

    SHA512

    f3792c0f858b262ada7b87aed4cc06ac700798e03958a4a619120014afd9f8d20421ba36f0e17852fb9124b5242daf803036b5e1d1fed21ebbb07dae0f4323a9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8d700643159f3e203c672ac0dad7c9e0

    SHA1

    0b7325aab4175a54370bd5fc5a459df998e3c916

    SHA256

    f6da4617907648d9c1adb06599eb16e5c82a696fecd4c5b4b5bdc44a8918ab0b

    SHA512

    cb75cfb818d0744a0bd6e3352c97626b3e621c679509779b7695f131f9906db3c80db37e0b995d92eea343448b06cd75a8d5b198b54acff9d38e88bfa93d5ed4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    96f4a84f0b0d027b003ea03639dd07a6

    SHA1

    d2b4960895f3eb7b274d91fc716fa9b7cb70f0d7

    SHA256

    80d6ac1e12a5ae0f049edb78e23e7c12f2a862015ab2eeeff2835f25a889c229

    SHA512

    40e2d6432099a56c90089437d36d3972fbbd2294be3c68ca2b40fab43682b1d102708d7e9912ff04afb08d580c37c1568f72efb2bdcdc290bcb8314159becd0a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9381a0839ce3013fe23fd7ae1721ce34

    SHA1

    cdf3ef5f6cb213286d8356b5dd3036781824b31a

    SHA256

    afcb87e8874faac1324189c48ba990120da5f534b04cf49c18c67ab265ca2b1d

    SHA512

    d7c412dd6289aba643d643abfae81ef38c3069ac67aabd63ce423f1cabd010eec074e083d906d969971edfcd05adc909b5269d743175f318c0ea3196b8c193a8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8bcdf1d07968bec5acbcfcb1843e53c5

    SHA1

    7282575eda898957d61d3107d1dc917e12f52a3f

    SHA256

    e16038167e1f4e01798bb688b628ed953effd4071789499c84fdc8c26ab48087

    SHA512

    e9623fdaa432e16db88b08d54875e6717ebb489c7cf506090962e9a27ec83ab6c37b455139485befd48223216790c470dce36242cd6b83490942786184db6405

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fa3d9c14595aadfde26c1ce831f1489c

    SHA1

    6e681e20fe2c172159f4bed5ffd67581e7e7db6f

    SHA256

    a6c250d302da571d24f30d900e43dae34285ed00082d3c42f6f393466f746f1b

    SHA512

    25d138d87e117be0515af35478432d3a12f11983755eb37b5d69d88e894de5822f300815e005ce6698622f8417e468b0af501cbf9501896da6a50f4bfcb2a16c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ab185a675bf5056cb18bd0f422f2c24b

    SHA1

    090316ef0127fe80271079159de241b953851fb9

    SHA256

    adfd5be9dc1c3c085021fc5360f1a173cd92a510118ec2424d14695fc1a2eeb9

    SHA512

    85ee5f8060a2e07f325573a42143eae9de7ead850da54886bbcafd221fd7a38b75f79e1529998f0645af67ff23068962a529b0ee23d2fc23a1e10262c6f4bccc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab61C1.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar63AD.tmp
    Filesize

    163KB

    MD5

    19399ab248018076e27957e772bcfbab

    SHA1

    faef897e02d9501146beb49f75da1caf12967b88

    SHA256

    326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

    SHA512

    6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~DF06347FB5422F9FC7.TMP
    Filesize

    16KB

    MD5

    3c5ee756ae59d7fe7c7eadfd16ecd85e

    SHA1

    b28028310019e310673cb1deb024332a5dfc60d0

    SHA256

    092263ada3559cd6a3a9f91d6e6fb258ffb9a7d308c9a9e494d6ca57ab1343b7

    SHA512

    5fbb4ada4179fc8808a318e150c7c130f0ba88d38194dec0524a56edcab3d3898f8876738f9c43b06b96f9d35d70e13ca1a5c43db25472b231849c5de25ef1ed

    Download Submit
  • C:\Users\Admin\Music\9494.dll
    Filesize

    196KB

    MD5

    4c555814801a7954f68654d1b9c4a958

    SHA1

    56e2491318b0988318aee9843c6faea7c08111c5

    SHA256

    3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

    SHA512

    56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

    Download Submit
  • \Users\Admin\Music\9494.dll
    Filesize

    196KB

    MD5

    4c555814801a7954f68654d1b9c4a958

    SHA1

    56e2491318b0988318aee9843c6faea7c08111c5

    SHA256

    3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

    SHA512

    56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

    Download Submit
  • \Users\Admin\Music\9494.dll
    Filesize

    196KB

    MD5

    4c555814801a7954f68654d1b9c4a958

    SHA1

    56e2491318b0988318aee9843c6faea7c08111c5

    SHA256

    3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

    SHA512

    56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

    Download Submit
  • \Users\Admin\Music\9494.dll
    Filesize

    196KB

    MD5

    4c555814801a7954f68654d1b9c4a958

    SHA1

    56e2491318b0988318aee9843c6faea7c08111c5

    SHA256

    3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

    SHA512

    56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

    Download Submit
  • \Users\Admin\Music\9494.dll
    Filesize

    196KB

    MD5

    4c555814801a7954f68654d1b9c4a958

    SHA1

    56e2491318b0988318aee9843c6faea7c08111c5

    SHA256

    3c30cbca9558f4baefeffe64c62e2c4004f4fe9e04a2ba6d2e7f2dbf7b0fba09

    SHA512

    56f5de832f63c8614c3a020097afba6697581062dbe59808cedd7f58c4aa1f50767148114bfcb0ef88ad572fcf14a1e6d5d029f8f41bf4fcbb23d8f1f43a3e44

    Download Submit
  • memory/2068-10-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2068-9-0x00000000001A0000-0x00000000001E9000-memory.dmp
    Filesize

    292KB

    Download
  • memory/2068-6-0x00000000001A0000-0x00000000001E9000-memory.dmp
    Filesize

    292KB

    Download
  • memory/2068-15-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2068-8-0x00000000001A0000-0x00000000001E9000-memory.dmp
    Filesize

    292KB

    Download
  • memory/2068-11-0x00000000001F0000-0x0000000000202000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2068-16-0x00000000002F0000-0x00000000002F2000-memory.dmp
    Filesize

    8KB

    Download