Overview

overview

10

Static

static

1

b334e0d09c...8f.vbs

windows7-x64

10

b334e0d09c...8f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230824-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2023 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs

  • Size

    847KB

  • MD5

    2368e9e529ee85a9c57efae72ee32a63

  • SHA1

    6c9c1510ca27b115323ff2c11f004fbcb7bf03f8

  • SHA256

    b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f

  • SHA512

    a9146dfcf5b0fbe3491898257373c526dfba2b782e45e911b7490a661eed295081c6858eeb7b574f9dfa23b6ede7ba17f2e78e53b3c5613dc07c19d5c89e0c60

  • SSDEEP

    6144:DSI4WZ5LeyWnPuoWD8TgkcObHofZMMKzqXCFdlXYkq8xM2dC0tk2+NEImlKiYebD:D/4r

Score
10/10
gozi2000bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217112

Extracted

Family

gozi

Botnet

2000

C2

ad1.wensa.at/api1

nort.calag.at/api1
Attributes
  • build

    217112

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    193.183.98.66

    51.15.98.97

    94.247.43.254

    195.10.195.195

    8.8.8.8

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b334e0d09cea851bd72d2346526a8bfd15a5dbd5ed4a36f0d0fd603a04b4e48f.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9493.dll",DllRegisterServer
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Music\\9493.dll",DllRegisterServer
        3⤵
        • Loads dropped DLL
        PID:2860
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3924
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2604
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~DF50DDEA1C86614517.TMP
      Filesize

      16KB

      MD5

      6e4790626240b7caa9ff850536d6d8a0

      SHA1

      8d5ce65d18cc1d8b6533f92066f48f399170a7b3

      SHA256

      4e4b7690af1eba6462afe6132f3013d13ac8c32297cab4225db2d386f80ff986

      SHA512

      3ee43cf2b64cae55d48e14dc4a7739155ff3c6eb732a69a2bbc6e135a9596cacd561b8dee1298ed540da3e086e16b5ebd9738bfcf7c3f0b9f1778061f46354a8

      Download Submit
    • C:\Users\Admin\Music\9493.dll
      Filesize

      196KB

      MD5

      08a9e5f418b4d6e1eb79c07793c0ed67

      SHA1

      fd27aaa177355c6d8ddedfab6442f4649c0533e9

      SHA256

      dd8ddc5335cf5e9ebf26f58310078237c2711e58ff03691379fd81c1b14bda78

      SHA512

      312d24df3a1f4294962c40b6a375fced5b5806d3b7080740c862846cae9d7cce3dceafd5993a3d96dc17907d991e9dfc946771c126d69ab7e1c8d4fa8dd2b2a0

      Download Submit
    • C:\Users\Admin\Music\9493.dll
      Filesize

      196KB

      MD5

      08a9e5f418b4d6e1eb79c07793c0ed67

      SHA1

      fd27aaa177355c6d8ddedfab6442f4649c0533e9

      SHA256

      dd8ddc5335cf5e9ebf26f58310078237c2711e58ff03691379fd81c1b14bda78

      SHA512

      312d24df3a1f4294962c40b6a375fced5b5806d3b7080740c862846cae9d7cce3dceafd5993a3d96dc17907d991e9dfc946771c126d69ab7e1c8d4fa8dd2b2a0

      Download Submit
    • memory/2860-4-0x0000000000400000-0x0000000000449000-memory.dmp
      Filesize

      292KB

      Download
    • memory/2860-3-0x0000000000400000-0x0000000000449000-memory.dmp
      Filesize

      292KB

      Download
    • memory/2860-5-0x0000000002D20000-0x0000000002D21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2860-6-0x00000000035D0000-0x00000000035E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2860-10-0x0000000002D20000-0x0000000002D21000-memory.dmp
      Filesize

      4KB

      Download