gozi | 94f9901021891b76a7602ad7a8ca17ba0b8b2fb268c3d2417a7fdc226519ac33

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

294KB
MD5

e8076ccdf5fa25a9b54bf28c85775e2f
SHA1

787750437cc8b121f798863f55060e2fe362fa01
SHA256

94f9901021891b76a7602ad7a8ca17ba0b8b2fb268c3d2417a7fdc226519ac33
SHA512

44fa12fd3dc538c7ac5bc5fe1da0e2a04afe2586e2b7977cf8d845a91e32d0173ecb145a972f718b6d3439350d7630d04cb342a3c388bd2f2a8ebe07a6e5e93f
SSDEEP

3072:n2S7BTivBoduzHLmtkY2j0eUnkrfPqU6xyhACMOTMNjAY:2WB+vaduzHLmtMSnkrXq7qAgQN

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1456 set thread context of 1364	1456	powershell.exe	Explorer.EXE
PID 1364 set thread context of 2396	1364	Explorer.EXE	cmd.exe
PID 2396 set thread context of 1928	2396	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1928 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1928 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1928	PING.EXE

pid	process
1928	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1496	client.exe
1456	powershell.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1456 powershell.exe
1364 Explorer.EXE
2396 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1456 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE

pid	process
1456	powershell.exe
1364	Explorer.EXE
2396	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1456	powershell.exe

pid	process
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 560 wrote to memory of 1456	560	mshta.exe	powershell.exe
PID 560 wrote to memory of 1456	560	mshta.exe	powershell.exe
PID 560 wrote to memory of 1456	560	mshta.exe	powershell.exe
PID 1456 wrote to memory of 1948	1456	powershell.exe	csc.exe
PID 1456 wrote to memory of 1948	1456	powershell.exe	csc.exe
PID 1456 wrote to memory of 1948	1456	powershell.exe	csc.exe
PID 1948 wrote to memory of 1444	1948	csc.exe	cvtres.exe
PID 1948 wrote to memory of 1444	1948	csc.exe	cvtres.exe
PID 1948 wrote to memory of 1444	1948	csc.exe	cvtres.exe
PID 1456 wrote to memory of 752	1456	powershell.exe	csc.exe
PID 1456 wrote to memory of 752	1456	powershell.exe	csc.exe
PID 1456 wrote to memory of 752	1456	powershell.exe	csc.exe
PID 752 wrote to memory of 1212	752	csc.exe	cvtres.exe
PID 752 wrote to memory of 1212	752	csc.exe	cvtres.exe
PID 752 wrote to memory of 1212	752	csc.exe	cvtres.exe
PID 1456 wrote to memory of 1364	1456	powershell.exe	Explorer.EXE
PID 1456 wrote to memory of 1364	1456	powershell.exe	Explorer.EXE
PID 1456 wrote to memory of 1364	1456	powershell.exe	Explorer.EXE
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2396	1364	Explorer.EXE	cmd.exe
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 1928	2396	cmd.exe	PING.EXE
PID 1364 wrote to memory of 2880	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2880	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2880	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2880	1364	Explorer.EXE	cmd.exe
PID 1364 wrote to memory of 2880	1364	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yr1v='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yr1v).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\14432B37-6353-66A1-8D88-47FA113C6BCE\\\ClassLocal'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name tmyklmcqct -value gp; new-alias -name ylxsnerre -value iex; ylxsnerre ([System.Text.Encoding]::ASCII.GetString((tmyklmcqct "HKCU:Software\AppDataLow\Software\Microsoft\14432B37-6353-66A1-8D88-47FA113C6BCE").OperatorTime))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4krer3m.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA2B5.tmp"
5⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amdtupjc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA390.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA38F.tmp"
5⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp

Filesize
1KB

MD5
a1bb77236cc5ade36e05872dab1fadd9

SHA1
14ab2f16d9e160f04c070dd9ef37528f5eae1412

SHA256
b7955d5d792e8a4022f9b0b38721ed4aa87d5e6f9b03508ed6580b5df0ec3f34

SHA512
1ef1f39d92368904c39577c91478aba4c1c0407e1a431478f6a4475ce1e6997901d0ea86211f70c0d89ed6254356757bf661c3cd232a8cf2fdd8e75de5f5407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA390.tmp

Filesize
1KB

MD5
b9f634d788152097a8c8d7b6bacf9cdb

SHA1
66ebc8a869ddd4866b083108688605dbec36cbee

SHA256
03470758b78992985febe8bb1ab4ec24c59e19987d16057800f3b19199b547e9

SHA512
ffa46cf032eb17168360e53496d745865149fe25cee9f145368f1976510600a91f058f878d784305b35c1bf3decbd2df934b0d1c1c405fe0af5f61186d3dfbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\amdtupjc.dll

Filesize
3KB

MD5
90e226a82bddd740e7bb275b9631a0fa

SHA1
e3c5fb1ea3f45f8b3bccde6537d15a26037b2a30

SHA256
c3b94daba8738430490da4818b359b0b2be0f9aadce4304f1ed894a1b11310f4

SHA512
051b7cfccbdfffb2560d998e072d703f90555f20d7c78636c972e6ec6f9f57b7f377730e08e1848c7e6133a8e62e011934aad45945b92dc6dbf4e7d0495dce8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\amdtupjc.pdb

Filesize
7KB

MD5
e358c552fd8bec1ea8488b5c20671391

SHA1
af586f7f2845d84be83b8c3441a2a947862468fb

SHA256
6ea23ed073aa7122d2883d5c7ea49271b3fe8da1aff26a073a5320806f5175a1

SHA512
40850e545ee8b3c92d5c2490bb081bd26dfc0428102761d581c8b75a6470f04c3d3b7851c79501e2833549aeea1573f4565b03a198c4fae8d320629a4db492ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4krer3m.dll

Filesize
3KB

MD5
fabbdc61234feb463f96e18f2081fe42

SHA1
9ce0165974bcf9cc97da2e9bfe627431530272d4

SHA256
b9282eee41ab50d02585922f69c8d9da14fe10c613dfeeece94f11903ae51bbd

SHA512
ea746904cbc4717dc70b73e0f7cee81a87ff9c840bfc1d0fb7a919d26ebda3f01d66a4b27d939c87f0dcd67993a76807dc11124dfeb9185a27ef9459c1aedb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4krer3m.pdb

Filesize
7KB

MD5
9fef9cc4012e3caa7b69256d6f2928b2

SHA1
ea75285bab855aef40ef5c0ffe20d97299b0c124

SHA256
1ec4e672b6d85d05c922c2669958e70b3de0cbb5bec6579641d38770f78effac

SHA512
cb31536b9b3379f033485a2f006f7b9681d23da0e11d0b7fdf5f8fa42c643cf7a315ed109f8361cbdc532caed39e818f45ee2e83bb263259a58c163585096505

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA2B5.tmp

Filesize
652B

MD5
a447436685caf7cbfe5768bf64619223

SHA1
e21ee6dc21296d308e292fb98c4fa84982f30375

SHA256
002bbb40803e491933689d29d6ee1a52ad1326c4d04ee2142ceae2bb09e84283

SHA512
001a0ae4fd5737c7366b99bda1b73192364c6ded6444aeb3836a50ea5240060c36d97feb7fbfc9d68018e5be3a70bb21215ef01b42187009bab88bef62c339e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA38F.tmp

Filesize
652B

MD5
d546ea0ea4ad98232fc01d787cbed1a2

SHA1
db887edc304f38bf23802536bf310f3cd2b78b84

SHA256
92815398f106483ba73ae47c349f4e172ce08c375b198f707a809a0850b2912c

SHA512
453c0505055e1e10792cd7456a3a3ffbdcb3c251943324e7f5e40d146c56222114d19ed12ea0b1619c5f041d3644a006908cc80ff7d2c84a3c32eb9eb2fbc992

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amdtupjc.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amdtupjc.cmdline

Filesize
309B

MD5
5b64fd1ce871d8f465ee09eb62677ecf

SHA1
0195af03e769971f99ab104120abd7528b968c11

SHA256
5f4a7fabd78722479a4bb59b0cb442536e724c7a7cb55d207ae81fde44ad2bb6

SHA512
95fdc9486e8b3c09cb77709eb981b877b0869751dad2b73750986ecf73833d15f45838082edb1362722d3ee88eb7f3ae65d3d90b09c29641c18347342a823f92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4krer3m.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4krer3m.cmdline

Filesize
309B

MD5
025982b3ce9233007ef625f1e892f4e4

SHA1
cfb9be60ec6430e85b0a1fe28732ce981848fe3f

SHA256
d8ee56bd09211122b5a81ed5412c1fb759c01c8e34000a8fdd362f96cdaacd01

SHA512
e89580a0cc9296638da143763e459d0c1542be158989cd716571dd9c86a52261cc2436bb01e8c254798414441948e3fa8b5d9efebb4d87b18e8e5ad7e91ee96d

Download Submit
memory/1364-68-0x0000000004E60000-0x0000000004F04000-memory.dmp

Filesize
656KB

Download
memory/1364-69-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1456-33-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1456-67-0x000000001B1C0000-0x000000001B1FD000-memory.dmp

Filesize
244KB

Download
memory/1456-32-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1456-80-0x000000001B1C0000-0x000000001B1FD000-memory.dmp

Filesize
244KB

Download
memory/1456-31-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1456-48-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/1456-30-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1456-29-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1456-28-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1456-78-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1456-72-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1456-34-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1456-64-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/1496-3-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/1496-7-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/1496-2-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1496-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1496-22-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/1496-1-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/1496-4-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/1928-87-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/1928-90-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1928-88-0x0000000001B50000-0x0000000001BF4000-memory.dmp

Filesize
656KB

Download
memory/2396-82-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2396-81-0x0000000001BB0000-0x0000000001C54000-memory.dmp

Filesize
656KB

Download
memory/2396-79-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2880-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2880-93-0x0000000000120000-0x00000000001B8000-memory.dmp

Filesize
608KB

Download
memory/2880-97-0x0000000000120000-0x00000000001B8000-memory.dmp

Filesize
608KB

Download
memory/2880-98-0x0000000000120000-0x00000000001B8000-memory.dmp

Filesize
608KB

Download