Overview

overview

10

Static

static

3

26dc3b58f5...JC.exe

windows7-x64

10

26dc3b58f5...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe

  • Size

    287KB

  • MD5

    bbf59fbbb9de660e113d82597c289cff

  • SHA1

    85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be

  • SHA256

    26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

  • SHA512

    8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa

  • SSDEEP

    3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3688
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4840
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3972
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Users\Admin\AppData\Local\Temp\26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe
          "C:\Users\Admin\AppData\Local\Temp\26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4692
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ofhy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ofhy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxtaqlluru -value gp; new-alias -name rwtqha -value iex; rwtqha ([System.Text.Encoding]::ASCII.GetString((jxtaqlluru "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4808
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilh0lc1r\ilh0lc1r.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3140
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp" "c:\Users\Admin\AppData\Local\Temp\ilh0lc1r\CSCB6646705ABF9477988F54D6260F253.TMP"
                5⤵
                  PID:4588
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\22kdlwx5\22kdlwx5.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2252
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB9D.tmp" "c:\Users\Admin\AppData\Local\Temp\22kdlwx5\CSC595557EBED91469BABA9ADC55346E9CB.TMP"
                  5⤵
                    PID:1404
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81_JC.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2224
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1240
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3848

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\22kdlwx5\22kdlwx5.dll
              Filesize

              3KB

              MD5

              a9db0b69707615ad3b6f259ee6466c3d

              SHA1

              b01692b97e72a14727643baa394a4bc7dd99cb93

              SHA256

              513587fe8b7fab0c5597e8d6ea0541310354c8106e45b6d822c284c449d7280b

              SHA512

              40bc90729f0e09fc15da5c6735fb7c1c3d7c2668156b6c7ebe57d679728bfd6f9fc1a5af84444bcf24948168f51772d1b2f064a91f8addf52efa1201f047c398

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp
              Filesize

              1KB

              MD5

              788bd02554da4b88f5d38de380b839d3

              SHA1

              e695abbe50713415b0d61bb333d7bac88e199c83

              SHA256

              3601350e323fade6369481f0a03a6aaef7e21dd87bfb66760609bf8c7fac3e53

              SHA512

              d374298b16266fef56e4b9a6e483ee0997e5ff546ed39e4c0aaccd6c9b3e3fe3c387b313fbf9335ae77bc0f2fae13aea467e43a9fc33d4425d231103c11f8640

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESCB9D.tmp
              Filesize

              1KB

              MD5

              51c73fc3da0ab72fbc61eca1ce432dee

              SHA1

              632d4ecc745101e994af730c8ece592fda819de3

              SHA256

              bc2290bbf79b89cadc33c94d747f893ba886551cd2d8d36d39d1a8e3a8152a3b

              SHA512

              df2cf6accbfa71f94ee7a0c8622b15ca8b59541f96117c6157c6d2a17ee02a4619de6f44360da3d7cec7cccc9d03ed0f7dfd3a3b5bf8adb42d6233c3f5fece29

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xo52jhgq.mxk.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ilh0lc1r\ilh0lc1r.dll
              Filesize

              3KB

              MD5

              8586e4a8106e9a118aa9ca32bd43e07a

              SHA1

              26597981d94aa4d365153e527c603b124e3422d8

              SHA256

              ed05c2d9cb4365f33e9d616912bd28ab5c5f18fa19e911a505f9825bbb9f961e

              SHA512

              ef223180b2a5d8879608cab60692331d2d1c81636a6a744c1d3a8f38d624600c208576e7164d0e7518bdd4b1fe1d81d5e51c0eaa45428b24e44e700c3832182d

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\22kdlwx5\22kdlwx5.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\22kdlwx5\22kdlwx5.cmdline
              Filesize

              369B

              MD5

              8cf807e51d7cb23f1d98bb0af2dbf031

              SHA1

              3cca376325f8f047b0c66a6322b0f577b740008f

              SHA256

              1d4d3c8593a56df365ca0c9d6b71c60e01d074b2c1bfa337f443b170193838ad

              SHA512

              43f79b750be56f752abc122e95db599cccfd460049d57ab52bf5c6bd072556b066ce66ecce4eada243365d8329f7c16dff851923dbf04ab015340ccc262e89b2

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\22kdlwx5\CSC595557EBED91469BABA9ADC55346E9CB.TMP
              Filesize

              652B

              MD5

              97923618188a1aeaa60a97b240c985fb

              SHA1

              3c71ff5bb30a1542dfcea07c7c4b8afd0e9d5c97

              SHA256

              44f61596161ec96ace2d8828a66541e907ac8a03b5d569ada4ce893e0ec002ce

              SHA512

              c758ad36a37f9c5e80fbacbd865d152898f5b2c8c7aeacf720933abb73418ba434c7e1de65e8e8548c0818e12247738e6789b019c97ac35b8a390120ecec6e34

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\ilh0lc1r\CSCB6646705ABF9477988F54D6260F253.TMP
              Filesize

              652B

              MD5

              55c50e43d7241e546789bbd834d283a5

              SHA1

              e1b757d1c5bea7b52f34a3a6d51907039920e165

              SHA256

              589cce14d7e9e638e5532bf1e719b42912e7b9ce38745c9820e11d16fdb048ad

              SHA512

              e695dfe6a9624e68e8af441096266ebb9767d44f9a6940fe21c15327bd4e24dab58e67bd12af08556c3ae736e68abcd0eb9dacd2bcd5bcae5355972285be1938

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\ilh0lc1r\ilh0lc1r.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\ilh0lc1r\ilh0lc1r.cmdline
              Filesize

              369B

              MD5

              ebc26d15289b44dc4cff4189eee6f28f

              SHA1

              76ad5afe5b2893045de4c9d81b0766cfc1b8dfcf

              SHA256

              944c9a54c816ce01ae65fb406a19b2d9402cbde7cf50a225bfa8bb5d28c53fe7

              SHA512

              a1cda7fce260b4a2eeecd9d68e03d8b0e7b6a409a640b6c23e6f9434f4a1a278ee0fedd7137e737fc27ef98b47c905ce1c10a45ec25602e51a5c46532e3c5561

              Download Submit
            • memory/1240-117-0x0000000001480000-0x0000000001518000-memory.dmp
              Filesize

              608KB

              Download
            • memory/1240-118-0x00000000010C0000-0x00000000010C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1240-121-0x0000000001480000-0x0000000001518000-memory.dmp
              Filesize

              608KB

              Download
            • memory/1432-106-0x0000019341FD0000-0x0000019341FD1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1432-103-0x0000019342140000-0x00000193421E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1432-122-0x0000019342140000-0x00000193421E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2224-112-0x00000223E8C30000-0x00000223E8CD4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2224-113-0x00000223E8CE0000-0x00000223E8CE1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2224-123-0x00000223E8C30000-0x00000223E8CD4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3184-60-0x0000000008B10000-0x0000000008BB4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3184-61-0x0000000002F70000-0x0000000002F71000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3184-97-0x0000000008B10000-0x0000000008BB4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3688-74-0x0000020CD4000000-0x0000020CD40A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3688-75-0x0000020CD17D0000-0x0000020CD17D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3688-99-0x0000020CD4000000-0x0000020CD40A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3848-92-0x000001D09B800000-0x000001D09B8A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3848-105-0x000001D09B800000-0x000001D09B8A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3848-93-0x000001D09B550000-0x000001D09B551000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3972-100-0x0000012356D40000-0x0000012356DE4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3972-80-0x0000012356D40000-0x0000012356DE4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3972-81-0x0000012356D00000-0x0000012356D01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4692-5-0x0000000000680000-0x000000000068F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4692-11-0x00000000006F0000-0x00000000006FD000-memory.dmp
              Filesize

              52KB

              Download
            • memory/4692-14-0x0000000000630000-0x0000000000643000-memory.dmp
              Filesize

              76KB

              Download
            • memory/4692-1-0x0000000000670000-0x000000000067F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4692-0-0x0000000000660000-0x000000000066C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4808-71-0x00007FFAAAE80000-0x00007FFAAB941000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4808-42-0x000002D5EB670000-0x000002D5EB678000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4808-29-0x000002D5EB6B0000-0x000002D5EB6C0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4808-72-0x000002D5EB990000-0x000002D5EB9CD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/4808-28-0x000002D5EB6B0000-0x000002D5EB6C0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4808-27-0x00007FFAAAE80000-0x00007FFAAB941000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4808-17-0x000002D5EB680000-0x000002D5EB6A2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4808-56-0x000002D5EB980000-0x000002D5EB988000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4808-58-0x000002D5EB990000-0x000002D5EB9CD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/4840-102-0x00000213D4B50000-0x00000213D4BF4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4840-87-0x00000213D43F0000-0x00000213D43F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4840-86-0x00000213D4B50000-0x00000213D4BF4000-memory.dmp
              Filesize

              656KB

              Download