Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    294KB

  • MD5

    bb35f8c1a3236ad31c754cdfe795d57f

  • SHA1

    b744f8ae31e2b3f7c3b72b9615823a3a3ad02989

  • SHA256

    5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

  • SHA512

    fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0

  • SSDEEP

    3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3752
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:5100
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4092
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3188
          • C:\Users\Admin\AppData\Local\Temp\client.exe
            "C:\Users\Admin\AppData\Local\Temp\client.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3516
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 472
              3⤵
              • Program crash
              PID:4304
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cdur='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cdur).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
            2⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name duamtwx -value gp; new-alias -name buypujjgfp -value iex; buypujjgfp ([System.Text.Encoding]::ASCII.GetString((duamtwx "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4pgn2ost\4pgn2ost.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5088
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES179A.tmp" "c:\Users\Admin\AppData\Local\Temp\4pgn2ost\CSC562B8919A0664895B7D3A6EC1B19C07A.TMP"
                  5⤵
                    PID:1740
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0haxkrl\a0haxkrl.cmdline"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4680
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1865.tmp" "c:\Users\Admin\AppData\Local\Temp\a0haxkrl\CSCD5BB7AA5BA1C4E7680BBA7DBCC8390F6.TMP"
                    5⤵
                      PID:1844
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:668
                • C:\Windows\system32\PING.EXE
                  ping localhost -n 5
                  3⤵
                  • Runs ping.exe
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:3828
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:4232
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4624
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3516 -ip 3516
                  1⤵
                    PID:4620

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\4pgn2ost\4pgn2ost.dll
                    Filesize

                    3KB

                    MD5

                    31b7d8b32742869edbd117064fd75b66

                    SHA1

                    f0e011f454fdb927566d64496b0cad4f3135c81d

                    SHA256

                    234e59629d060c72cc67a34d992a9be7647a77d71409d09e7599b79bcb11b75d

                    SHA512

                    694f1cf26ed500874039962bf454ce2be293830341fb1e0687a4e267c31644274aad9b162d044db96bc3890cfb0478b302bba1e1009aef42fdefd0d7b3f3d5ae

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RES179A.tmp
                    Filesize

                    1KB

                    MD5

                    00b75c5d59872be11253e22845041c7c

                    SHA1

                    81f0274f05f95f6c8f1bcd4c62d7bf005ff49fe9

                    SHA256

                    79258f8fa1793a74f1e82a695715c9a82674c5a884c9b89e292aea984bceff1b

                    SHA512

                    c0ef719457345474cc405c4cd32fc0805fcd8e20be0814e4b8c5dd0c336ef600f573efc264e22bc4bdc73aa8f10afab574ad943af063f343a8edc78139aefc54

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RES1865.tmp
                    Filesize

                    1KB

                    MD5

                    a72a6ab4ce6a54a5003d7b2a6b7f46ad

                    SHA1

                    bff2ffa19b218456c8cbfe9e968793f80c62c5f6

                    SHA256

                    2fcc700eaec2a42280a94c3c4eed05b2742e07892f179a43c3f70f18babd0442

                    SHA512

                    6a19e916b361d430e83c5a59879cdcfd421907017803517aac98639967f1430594f49174df771b9225ae800da3437365c48618f7f7ec545fb0f6e5ad49f623d9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pctvfpd3.l5q.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\a0haxkrl\a0haxkrl.dll
                    Filesize

                    3KB

                    MD5

                    24a4669e73544c1da94d4e1b72280838

                    SHA1

                    8b9473b4950d2c30a4f8ec401de42d63c9e4b8f6

                    SHA256

                    168e1c9e3193cdfea6834f9286e93fd61d50080f049dcf1218895d62f57c485a

                    SHA512

                    5c5036b858ba5fcb81eef6375aa73cc6ace4a617854ad62733764f2f2c8c1db32fe702972f3ef9ed018d7f1c6f62de599f5d5cbc05a2aa10fc8e696084eb9d8e

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\4pgn2ost\4pgn2ost.0.cs
                    Filesize

                    405B

                    MD5

                    caed0b2e2cebaecd1db50994e0c15272

                    SHA1

                    5dfac9382598e0ad2e700de4f833de155c9c65fa

                    SHA256

                    21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                    SHA512

                    86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\4pgn2ost\4pgn2ost.cmdline
                    Filesize

                    369B

                    MD5

                    0cecbd03ebec9c35035e5012b05f63b0

                    SHA1

                    eaf5772c20721fd34c522fb60fcf9e58b975ef40

                    SHA256

                    b94c5378191eb82b90e9b3bfb4919728aa441233a68b17b242847a2ff48a840d

                    SHA512

                    0b082c80ff1d6f559a8da55bb6e8a38cf6f86cfad656c09d323e1aec47b08672ecd5697f8bffd52ae3d5131ed3ca1adbbf44078efa897529bfc4d7af73d9c755

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\4pgn2ost\CSC562B8919A0664895B7D3A6EC1B19C07A.TMP
                    Filesize

                    652B

                    MD5

                    5b889b923901c4606ba9205b40b11258

                    SHA1

                    12a9a2b2a6a78fbfd6cfd3d66372480e924b0797

                    SHA256

                    db5b28302c195e3a8a2916b19fa12cbc9feae9358707f14d3f88066696068d89

                    SHA512

                    761505deef3e73b6f4369bd2bd0498238581c2020eb8e2a2d996b69e073a5ef8494e3daa700a97932994a43b1f72984751a7b01b71610afd0d19daab9f9ebe01

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\a0haxkrl\CSCD5BB7AA5BA1C4E7680BBA7DBCC8390F6.TMP
                    Filesize

                    652B

                    MD5

                    bc18152d556b640d9d0a30153f0a9380

                    SHA1

                    f9a090fd2956c570187b8893faaae4afee410e03

                    SHA256

                    6b21412d9132fa4d8ffcc94fa06e440559cc0bf52c250fa625004292936f08b6

                    SHA512

                    e2527a0ca87ce3eb43d9d784d285b512c492cb94240ac1de256f1902a1c2ba73e97a901f9460a92b8c0e7cf7acc4f786b9be4717ba43d013f7318ace0899f1dc

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\a0haxkrl\a0haxkrl.0.cs
                    Filesize

                    406B

                    MD5

                    ca8887eacd573690830f71efaf282712

                    SHA1

                    0acd4f49fc8cf6372950792402ec3aeb68569ef8

                    SHA256

                    568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                    SHA512

                    2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\a0haxkrl\a0haxkrl.cmdline
                    Filesize

                    369B

                    MD5

                    ad8dd2b9205dd63cce016a9328660580

                    SHA1

                    76cb1d19791c9867fe63f9d20c47b1175affbf39

                    SHA256

                    54ccecb3a172be2a04a3e72a7d09783e8fd32e64ead2296abf3f7cb1c60c26d4

                    SHA512

                    ff47166f6d85ec08e3d00906d0bb6b761b547f4d60af9baa7dc8b7e47cad32ef80b1a6438040e0b3a8fdd787ab426c6df655a16cc4f6bc1f3c593a32e3a62d59

                    Download Submit

                  • memory/668-94-0x0000020430CC0000-0x0000020430D64000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/668-99-0x0000020430B70000-0x0000020430B71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/668-117-0x0000020430CC0000-0x0000020430D64000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3188-96-0x00000000087A0000-0x0000000008844000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3188-55-0x00000000087A0000-0x0000000008844000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3188-60-0x00000000027B0000-0x00000000027B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3516-114-0x0000000000400000-0x0000000002290000-memory.dmp

                    Filesize

                    30.6MB

                    Download

                  • memory/3516-3-0x0000000000400000-0x0000000002290000-memory.dmp

                    Filesize

                    30.6MB

                    Download

                  • memory/3516-9-0x0000000000400000-0x0000000002290000-memory.dmp

                    Filesize

                    30.6MB

                    Download

                  • memory/3516-8-0x00000000024F0000-0x00000000024FB000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/3516-7-0x00000000025C0000-0x00000000026C0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/3516-1-0x00000000025C0000-0x00000000026C0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/3516-2-0x00000000024F0000-0x00000000024FB000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/3516-4-0x0000000002550000-0x000000000255D000-memory.dmp

                    Filesize

                    52KB

                    Download

                  • memory/3752-69-0x0000012F43140000-0x0000012F43141000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3752-108-0x0000012F43090000-0x0000012F43134000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3752-68-0x0000012F43090000-0x0000012F43134000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3828-107-0x000001EFC9460000-0x000001EFC9504000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/3828-110-0x000001EFC9340000-0x000001EFC9341000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3828-116-0x000001EFC9460000-0x000001EFC9504000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/4092-73-0x000002371EC00000-0x000002371ECA4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/4092-75-0x000002371EBC0000-0x000002371EBC1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4092-113-0x000002371EC00000-0x000002371ECA4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/4232-104-0x00000000012E0000-0x0000000001378000-memory.dmp

                    Filesize

                    608KB

                    Download

                  • memory/4232-105-0x00000000012E0000-0x0000000001378000-memory.dmp

                    Filesize

                    608KB

                    Download

                  • memory/4232-95-0x00000000012E0000-0x0000000001378000-memory.dmp

                    Filesize

                    608KB

                    Download

                  • memory/4232-102-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4624-86-0x000001F5DAF20000-0x000001F5DAFC4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/4624-118-0x000001F5DAF20000-0x000001F5DAFC4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/4624-87-0x000001F5DAED0000-0x000001F5DAED1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4720-22-0x00007FF812620000-0x00007FF8130E1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4720-24-0x00000192F82C0000-0x00000192F82D0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4720-66-0x00007FF812620000-0x00007FF8130E1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4720-58-0x00000192F8260000-0x00000192F829D000-memory.dmp

                    Filesize

                    244KB

                    Download

                  • memory/4720-51-0x00000192F8250000-0x00000192F8258000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4720-21-0x00000192F7DF0000-0x00000192F7E12000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4720-37-0x00000192F7CC0000-0x00000192F7CC8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4720-23-0x00000192F82C0000-0x00000192F82D0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5100-80-0x000001D3C0B40000-0x000001D3C0BE4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/5100-115-0x000001D3C0B40000-0x000001D3C0BE4000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/5100-81-0x000001D3C03E0000-0x000001D3C03E1000-memory.dmp

                    Filesize

                    4KB

                    Download