Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2023 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    296KB

  • MD5

    3f39517fb0f5de4ba10e72242fb6cd9a

  • SHA1

    d9c68d8110038c21b9d1c5763eab9331c2cf3b45

  • SHA256

    b3a2a819e27b004310e65c2b6b000cb8444b3233271a5064e5314d9580d128d3

  • SHA512

    c69a9438a9915724233aff2a45a25421a33d05ff2fdcaa7ffdef7dd67f2c27aa1f0894e1c0b11def837d01515dbf42931d4ac829a0ea6a40b115002e615f7ebe

  • SSDEEP

    3072:pqrRrmv3TwaCRNnA/UeXFa3mSRACC2IS/gc/LRxNuIY:QrRyvDwaCRNn4XQ2wACZgc/LR/u

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Users\Admin\AppData\Local\Temp\client.exe
      "C:\Users\Admin\AppData\Local\Temp\client.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 472
        3⤵
        • Program crash
        PID:1500
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gnnm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gnnm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fetjcafxs -value gp; new-alias -name velyipcf -value iex; velyipcf ([System.Text.Encoding]::ASCII.GetString((fetjcafxs "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r0cwueko\r0cwueko.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3572
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26FB.tmp" "c:\Users\Admin\AppData\Local\Temp\r0cwueko\CSC3073D32C96E1487B9B7E24711542266.TMP"
            5⤵
              PID:3400
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izhkb4z2\izhkb4z2.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28A1.tmp" "c:\Users\Admin\AppData\Local\Temp\izhkb4z2\CSC7378550E8ECC4BF395A05144A3A1E653.TMP"
              5⤵
                PID:2080
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:4148
        • C:\Windows\syswow64\cmd.exe
          "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
          2⤵
            PID:260
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3408
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3988
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:5060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2208 -ip 2208
              1⤵
                PID:3532

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES26FB.tmp
                Filesize

                1KB

                MD5

                93cd868f97a67fca493f452fdcf363bb

                SHA1

                ff9dcc6356fc60760d5ef41940caec106059673f

                SHA256

                79a8dec8ba4477a575cddfa74d27b934738cbaa24c1ddf97cc255b84cdf0a49a

                SHA512

                42326e6feedd75b4c356337cfd7ab6ca62890346f34f8f7555dda74fad4e7d66444483982238582cdb3567dab4428d272b216e7d0552f23aab8fe35a66f30871

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES28A1.tmp
                Filesize

                1KB

                MD5

                2dedff43a43e45d836daf7cddf879bc6

                SHA1

                ef31b735b3bfddbfbeb1de56dd665e0b1ea18a6d

                SHA256

                eede22ca13231ccb053e7e1332cb635922af5f6bd61c8aca12c1f03e5b5359ec

                SHA512

                2cf6547d906250fdc6d0f22a23ad3d21362eb3a6fcae50e98403b41245dee30e5c9c25cf51e9e1c15ceff4a3836d95b9735e0a28d560f40458b1ed4a5cda6321

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucrc3ie4.pw4.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\izhkb4z2\izhkb4z2.dll
                Filesize

                3KB

                MD5

                9094bf5c7b836272715eef45315e85bd

                SHA1

                d582771502c572c0667b108e9fdfcd6681a516fa

                SHA256

                491837662feb062ded2deba137898cdb6d1797ba21bfdceeacc5300f003513ee

                SHA512

                2ae982c40eab10c8867b25c61ca3c1712415022161195bc207deb6572b78359866eda44ad50b1e0490e5b49fa29ed816d52d654fe1a2bc7da9247174527e3c9a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\r0cwueko\r0cwueko.dll
                Filesize

                3KB

                MD5

                081ae499c43c2877e2035ba9ee3458f0

                SHA1

                7b543b2a6329e9e7f5ac3b7202282792f242d07b

                SHA256

                a0fbc94f7535a7472e6a561e04789b5919a1ca57be13d0dd661eb3500462e256

                SHA512

                bb3f76ab388dfdd47a06acb5f4c6c60bccdfc6a5a6e3879a29dab734b42fe99eaf710cd6caa51e4ec0a436f25f87aae1c9fef4f64a48e9570427033074055094

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\izhkb4z2\CSC7378550E8ECC4BF395A05144A3A1E653.TMP
                Filesize

                652B

                MD5

                7e1dfaf44de6c75fd7fe8556abd0f7f5

                SHA1

                60e42f249e28b03f1dd7c3e67fa21e5b39d75716

                SHA256

                c97d91c1b49e39215500e1413a8ab9220b694ab952bdcfec0147ac464664ae55

                SHA512

                51ddffed8da1dc006c321361b18e1ce88849342d2a108b6d9dd55eaf075ba21eb99b13fa1469e90b4b83b2229450c436f099b3ac0c199e567f36de4d2ec190f9

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\izhkb4z2\izhkb4z2.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\izhkb4z2\izhkb4z2.cmdline
                Filesize

                369B

                MD5

                7e93f825d78cb20d2ff3f0103e79a458

                SHA1

                d3804f7fffb7b4516ac13bb16038090aa33bec26

                SHA256

                74ae72a002bee3426609d8306fcb47b076b55495b92345b0aa97a193c49972e5

                SHA512

                9fe2a6b9cf922838b39bb52726320bb8789c981973a5b3b4df0ea841ddc7fbf4d3cc012a0eda2bcc03f39b7ee1d41b5546418261c22deed8b0f1ce6522df2471

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\r0cwueko\CSC3073D32C96E1487B9B7E24711542266.TMP
                Filesize

                652B

                MD5

                33f282ca4602f55b13be868c25ca050d

                SHA1

                b4de20f6185357ba7fcc530d5cc812ebe0b326ca

                SHA256

                11348f8d908be23aac1b9db291156f62af54a7a93770205b7e275be220c15574

                SHA512

                7f24caef93fe4a99d8f341517f858ccbd16c8e3697014d7ea617779d4068d458b7504def87d0ad96906109eb9fdd1d0dc95fa24f76b87d1a094a384d49bbef12

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\r0cwueko\r0cwueko.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\r0cwueko\r0cwueko.cmdline
                Filesize

                369B

                MD5

                f344addb685450ba2a0e6d7da3a6a579

                SHA1

                932cb63791fb34f6cfd43e5308117b81aa157272

                SHA256

                6f02c4240fb2e80c852aa259abb6687195d49c3be339279cf412b578b130c143

                SHA512

                b6abc0126b306b4443fa82dfcd83919c4598a1b82523c0f47eeaf7aac9ec1db3a8a6e3a18ab363c719df7aeb17244262c13f7466d16265c5897528628cb8db4e

                Download Submit
              • memory/260-113-0x0000000000B90000-0x0000000000C28000-memory.dmp
                Filesize

                608KB

                Download
              • memory/260-111-0x0000000000B50000-0x0000000000B51000-memory.dmp
                Filesize

                4KB

                Download
              • memory/260-108-0x0000000000B90000-0x0000000000C28000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1676-116-0x0000019FFFC00000-0x0000019FFFCA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1676-83-0x0000019FFFAD0000-0x0000019FFFAD1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1676-81-0x0000019FFFC00000-0x0000019FFFCA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1876-38-0x0000016F0A810000-0x0000016F0A818000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1876-24-0x0000016F22D90000-0x0000016F22DA0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1876-25-0x0000016F22D90000-0x0000016F22DA0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1876-23-0x00007FFACF6F0000-0x00007FFAD01B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1876-22-0x0000016F0A780000-0x0000016F0A7A2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1876-52-0x0000016F22EA0000-0x0000016F22EA8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1876-68-0x0000016F22EB0000-0x0000016F22EED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1876-54-0x0000016F22EB0000-0x0000016F22EED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1876-67-0x00007FFACF6F0000-0x00007FFAD01B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2208-8-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2208-1-0x00000000024A0000-0x00000000025A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2208-9-0x0000000002440000-0x000000000244B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2208-115-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2208-7-0x00000000024A0000-0x00000000025A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2208-4-0x0000000004040000-0x000000000404D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/2208-3-0x0000000000400000-0x0000000002290000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2208-2-0x0000000002440000-0x000000000244B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3160-56-0x0000000009350000-0x00000000093F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3160-103-0x0000000009350000-0x00000000093F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3160-57-0x0000000003250000-0x0000000003251000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3408-88-0x0000021414FF0000-0x0000021414FF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3408-117-0x0000021415850000-0x00000214158F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3408-84-0x0000021415850000-0x00000214158F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3676-70-0x000001A8A3970000-0x000001A8A3A14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3676-109-0x000001A8A3970000-0x000001A8A3A14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3676-71-0x000001A8A35E0000-0x000001A8A35E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3988-77-0x0000017C98B90000-0x0000017C98B91000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3988-76-0x0000017C98BD0000-0x0000017C98C74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3988-114-0x0000017C98BD0000-0x0000017C98C74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4148-105-0x000001BF32F20000-0x000001BF32F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4148-102-0x000001BF33100000-0x000001BF331A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4148-118-0x000001BF33100000-0x000001BF331A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5060-95-0x0000027525EE0000-0x0000027525EE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5060-92-0x0000027525F30000-0x0000027525FD4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5060-119-0x0000027525F30000-0x0000027525FD4000-memory.dmp
                Filesize

                656KB

                Download