Overview

overview

10

Static

static

3

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2023 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    359KB

  • MD5

    5afca9ef360236eaf6e55b2d8ce114be

  • SHA1

    7d2919aa03a96c91cc4d0724906c572e12a14d75

  • SHA256

    7e2adc1e8273c9662cc51304835805cc31d1a65c5b151789b69e5441cb666465

  • SHA512

    a52ca21d09fb22a85d5c01301f6d07538b1315764c07772ec0eb5c15d20cec5bc592213995d78e5b0f1bd4db41c605dc66057ef6c1043bc176e27c0b795ca2a8

  • SSDEEP

    6144:Lmjuf/Ei1AhA8QZtEH7wjYjjrF5GPKWpnSi97Q/VqMITAWWSlhEszcC:Lbf/P19b47wjYjj6dAAMoH7lhHcC

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

http://iextrawebty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.exe
    "C:\Users\Admin\AppData\Local\Temp\client.exe"
    1⤵
      PID:4104
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:3704
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3428

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3428-14-0x0000028B73D40000-0x0000028B73D50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3428-30-0x0000028B73E40000-0x0000028B73E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3428-46-0x0000028B7C160000-0x0000028B7C161000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3428-48-0x0000028B7C190000-0x0000028B7C191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3428-49-0x0000028B7C190000-0x0000028B7C191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3428-50-0x0000028B7C2A0000-0x0000028B7C2A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4104-1-0x00000000008C0000-0x00000000008CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4104-0-0x00000000008D0000-0x00000000008DF000-memory.dmp

        Filesize

        60KB

        Download

      • memory/4104-5-0x0000000002480000-0x000000000248F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/4104-11-0x00000000024F0000-0x00000000024FD000-memory.dmp

        Filesize

        52KB

        Download