Overview

overview

10

Static

static

10

payload.bin.exe

windows7-x64

1

payload.bin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2023 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.bin.exe

  • Size

    37KB

  • MD5

    532039d2f764d59a4c1cac5e6091aa52

  • SHA1

    a1abbd3f89897952fc0a90e60ca49983c287a65c

  • SHA256

    bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97

  • SHA512

    711c7a4d7481b414178542aac5ef908b5b66b50ed96305c9f159ea4b1762ddb77f2125470bbb8101909ff4c77c51d3c7e0a121d65a7356bc28756f8028f01b0b

  • SSDEEP

    768:MA3rPI5jShpW1v5wlZkyJ8Kl7aQixYgxYJmv0NHY7lbjNltdX2k:j3rPI5jSu1aZkyVJaf3C7YJj3HG

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3756
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4804
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4000
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3216
        • C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
          "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4416
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Khyl='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Khyl).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ckbqvbxh -value gp; new-alias -name unxfjms -value iex; unxfjms ([System.Text.Encoding]::ASCII.GetString((ckbqvbxh "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3636
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uann45ug\uann45ug.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3056
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp" "c:\Users\Admin\AppData\Local\Temp\uann45ug\CSCEA42C0E27A8C454881EBD25AF38A6CA.TMP"
                5⤵
                  PID:752
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rafritrl\rafritrl.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3108
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE6C.tmp" "c:\Users\Admin\AppData\Local\Temp\rafritrl\CSCA263253BE036495BAA53E8D13CD16D.TMP"
                  5⤵
                    PID:4572
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4636
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1940
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4460
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2364

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp
              Filesize

              1KB

              MD5

              b847b420fb85fa2bea8a504dc42e3b60

              SHA1

              7ae756b8a6e9978752808735b94181318947414d

              SHA256

              d1052d9ea7c6bc98646d4139cd18f5f48861d6526bbbd08ecc388ce731dceb0d

              SHA512

              a1e87f96c466d0dd517a00d123a9b5096b70e8496e614fe47aa4d21966cb944c6c966d074769d9d6bb330eb010f215d3679a2f9876a741af736860a5ac45b9e6

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESCE6C.tmp
              Filesize

              1KB

              MD5

              45f5b3c093fd814079dd9cd3e142bffc

              SHA1

              9586a5cddaa8b1271f52c7884a1dcd2337e212db

              SHA256

              d2349a1a84e86f3749544a98c5e2e99ee602dbbf02e50cb27dd0f4fc086e703d

              SHA512

              9dc63ccaf251e5735011ca36137d543e8c4a69b90dadc538847102e0f085b3d4e235d94b5d14c110989787ead578e79a8edded77bc048114b044446737cfe143

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woujvycu.v4e.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\rafritrl\rafritrl.dll
              Filesize

              3KB

              MD5

              e87f63d28b2f640980af1a9c67c9d7d6

              SHA1

              efb68b04e074ec7d292ed47fd27d1fe46ee874ee

              SHA256

              0f4e4441bb622b0c902760c3cdcd8d6e307e11f8da578b13f2aa9700f502d04d

              SHA512

              e7b154e3555d7e73f2367621bafcdc5d54b80b66e38794118974357a90a4a8fe597d062c38a736b18f467becab7177fa7e75d487a0dd38a72a306dade25ee381

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\uann45ug\uann45ug.dll
              Filesize

              3KB

              MD5

              deaae2e939aca326cb312eb53c297d97

              SHA1

              b8ddb4eb06ec0ac6fb1bc489f012025b056a702d

              SHA256

              39bcfb205f83314e4821811fd336bbb41e24d3876bd44d9a7357105a93e53b83

              SHA512

              b95e742c08b725a1a7705de3615290508b9539ccd27c46dfb32728fd35b8c3278632d5db8c73fc8d1049bcb134f34994a15b4ff526be8fd4fec52d748c0b289f

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\rafritrl\CSCA263253BE036495BAA53E8D13CD16D.TMP
              Filesize

              652B

              MD5

              929d9a6a761a14bbb3976ac28851db6a

              SHA1

              954407f58f2598d982ad18020b351a65cbd36904

              SHA256

              bbe3bfea3aa6325ead58a134839137f3e88e9f58d50b539d0c23e62929a54629

              SHA512

              9e172870c8a2853e7ffd3ac98ca5529512a5002db639a5e6afc0aa75b69ea4168b3ac070eba4c01d70ee5490a894765bdcaeb5833c93a4a4c212f270654e9353

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\rafritrl\rafritrl.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\rafritrl\rafritrl.cmdline
              Filesize

              369B

              MD5

              030dd25724ad8c15bc1dbb8cce29ece9

              SHA1

              3b5cee97a9df700244521ba995950d3a42a129a1

              SHA256

              a3294d7201bc28e045f2fbad049a7780633354c86e632cfb2ff99dba13361dc2

              SHA512

              b9294d1273c0f74b865d9fc38fdb2d954eb95d597d5539a26ef3c194d4ade908023ef4cfe21151bfc8366a0ccb265a9a5a76c2f1971c1468f1e62154ce8c7fe0

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\uann45ug\CSCEA42C0E27A8C454881EBD25AF38A6CA.TMP
              Filesize

              652B

              MD5

              2705238f44856d962bfbb438dbb66d50

              SHA1

              c006c94bf77eae9c262f022d910464e446fc8fd8

              SHA256

              872430f4c7393ae5c06411e3a8e94a6ed9b2b17ae0e97adbb22f5392bd74d4ed

              SHA512

              5dc78446f3bf226ebe96f4b02285cf522b7ac2be915865e510c2f91445549663104f2d6d9ee41290d8d38bd5e00053de72adfc3788347ba6eac82fec50ab771b

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\uann45ug\uann45ug.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\uann45ug\uann45ug.cmdline
              Filesize

              369B

              MD5

              8496f33357daf372f4cd881abacade42

              SHA1

              66c9b00745c36491d6b832671f2c58aa9b7de890

              SHA256

              4fe82bc132ecba208eb93406aa13d9485a8289c9ee01112be26497e3e82a3ab3

              SHA512

              04347b246806a1851b2ef52559b37d26ae0db25876887e84986798e69d7ce06330b3caa521206f2da42126d2419d8454da358f777e93496b32bff3bbc9fb2a58

              Download Submit
            • memory/1940-98-0x00000165AAFF0000-0x00000165AAFF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1940-95-0x00000165AB180000-0x00000165AB224000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1940-108-0x00000165AB180000-0x00000165AB224000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2364-86-0x000001FD685B0000-0x000001FD685B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2364-111-0x000001FD68C40000-0x000001FD68CE4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2364-84-0x000001FD68C40000-0x000001FD68CE4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3216-47-0x00000000098A0000-0x0000000009944000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3216-96-0x00000000098A0000-0x0000000009944000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3216-48-0x0000000002E10000-0x0000000002E11000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3636-29-0x000001FEBA770000-0x000001FEBA778000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3636-45-0x000001FEBA7C0000-0x000001FEBA7FD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/3636-58-0x00007FFBC80E0000-0x00007FFBC8BA1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3636-15-0x000001FEBA400000-0x000001FEBA410000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3636-59-0x000001FEBA7C0000-0x000001FEBA7FD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/3636-43-0x000001FEBA790000-0x000001FEBA798000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3636-16-0x000001FEBA400000-0x000001FEBA410000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3636-4-0x000001FEBA410000-0x000001FEBA432000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3636-14-0x00007FFBC80E0000-0x00007FFBC8BA1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3756-106-0x000002CB9DEB0000-0x000002CB9DF54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3756-61-0x000002CB9DEB0000-0x000002CB9DF54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3756-62-0x000002CB9B7C0000-0x000002CB9B7C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4000-107-0x0000021F11BE0000-0x0000021F11C84000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4000-68-0x0000021F11BA0000-0x0000021F11BA1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4000-67-0x0000021F11BE0000-0x0000021F11C84000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4416-0-0x00000000005B0000-0x00000000005BD000-memory.dmp
              Filesize

              52KB

              Download
            • memory/4460-97-0x00000000016C0000-0x0000000001758000-memory.dmp
              Filesize

              608KB

              Download
            • memory/4460-101-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4460-105-0x00000000016C0000-0x0000000001758000-memory.dmp
              Filesize

              608KB

              Download
            • memory/4636-73-0x00000243834D0000-0x0000024383574000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4636-109-0x00000243834D0000-0x0000024383574000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4636-74-0x0000024383370000-0x0000024383371000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4804-75-0x00000141856B0000-0x0000014185754000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4804-78-0x00000141833E0000-0x00000141833E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4804-110-0x00000141856B0000-0x0000014185754000-memory.dmp
              Filesize

              656KB

              Download