Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    406KB

  • MD5

    2f5a00394c3568e91f6302dc6c8b196c

  • SHA1

    116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

  • SHA256

    3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

  • SHA512

    a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36

  • SSDEEP

    12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 56 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3708
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4924
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4064
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2932
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>X2iw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(X2iw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ywglbkiub -value gp; new-alias -name rmsynggefx -value iex; rmsynggefx ([System.Text.Encoding]::ASCII.GetString((ywglbkiub "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3rlaeja\r3rlaeja.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES408E.tmp" "c:\Users\Admin\AppData\Local\Temp\r3rlaeja\CSC6D82890CD23D4E5EAF3757A80421AE6.TMP"
                5⤵
                  PID:2016
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2tezdmyy\2tezdmyy.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2936
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES411B.tmp" "c:\Users\Admin\AppData\Local\Temp\2tezdmyy\CSCD235FEB5B3554D708BD4DA067901770.TMP"
                  5⤵
                    PID:412
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1552
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2856
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:5060
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:732

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2tezdmyy\2tezdmyy.dll
              Filesize

              3KB

              MD5

              1b57dc81055b78bf9f57bce3f5cb9fb9

              SHA1

              6cd3505740942d3cc8b4a9d66c52cb6b1034d665

              SHA256

              4257f6d7e0165949faef65ba501220a2be3d0427d4ad395b729499b5387c06f1

              SHA512

              66af84e0695a3ed656db27c6b88b43be73cd682bfd5b146bd642e183826e44bfe18f52872e94cfb3b082053cdce519ba91fe2d30a9053863eaf3325f5a327dca

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RES408E.tmp
              Filesize

              1KB

              MD5

              2482a557655be5f5f02415c997a7af2c

              SHA1

              9c18a0fc232bc3b5450f24e74d150fe43d47ac03

              SHA256

              b8355b5b0f623ec054c1ae2fd686f9f03a14f5518e1cc6717cb8c992ee1439ae

              SHA512

              801a7f169d5f8304ccecc369f29217ee368cabbf16a5d90e389771c2abc0242328d8fb86d51f121ad6d2900a6b02ac8bf5c886948b0ec1efed65c8ab11143723

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RES411B.tmp
              Filesize

              1KB

              MD5

              f6067eb3f7186ac73f61c6af90107474

              SHA1

              5a32baf175631d791e0b231c0cb8bcfb2e5e3f4a

              SHA256

              b027c5e217c899cb3b84b3a95da71e56e7c8e099c99301d96779c510596b833a

              SHA512

              d412a20d57e099404ddebd289a89b2f0e2ef4108f2a68ade763c80778eb99d22c76c25791326879871f11ad0d7fb2306a82922062b735dbe43fa876fe47ce514

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ev00avql.fng.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\r3rlaeja\r3rlaeja.dll
              Filesize

              3KB

              MD5

              c69b1fb3223c53c608cb64951175b3ba

              SHA1

              4208bff48f67aca5dc4fca5573d10bafe92f36e0

              SHA256

              7aa05088ba55533edca3219ad058a6b377eb9f45551f06a55f1372aac55f087f

              SHA512

              996d0a28fe7e22a78804bdd908a502896b53bf7ed5c30395391f601ba32902ad7f761056d92d37db73124c52c2b4ca77930995666e703a6f14582b4945437c97

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\2tezdmyy\2tezdmyy.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\2tezdmyy\2tezdmyy.cmdline
              Filesize

              369B

              MD5

              17171b279024a22914ecaa88a9906dfc

              SHA1

              31bfbb5705e1d0e97803e7c5e2e58d5fabd3cd70

              SHA256

              7b9e1b8dc5506ad889bc617a5cf81987e5fc458b1a46db4417a7af6ac7cf2a51

              SHA512

              ba2e3dc11cb4759bff5396e6be2943bd55b6572e7e41a9eb39925637ac015259649dae445c30f164fec0d641cfd79490e4ac20052cb2b93223db101ab47b6f3e

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\2tezdmyy\CSCD235FEB5B3554D708BD4DA067901770.TMP
              Filesize

              652B

              MD5

              978707ab5618611e2719553ad4f7a33d

              SHA1

              2c4b16424384ce4fbe28dd9428bcb4c533b61137

              SHA256

              bb19e54c17aefa82f35581860ecd7be7c820f1f64426aabe926993699e06f7ff

              SHA512

              079e37ca7dac4bc3a443b3aad6469bffe2702b88e40dd875644e4f3e4e861e4a3f4e4ebc9519ded9ff1efc2b2cbbdeb5bc8ca2dcfad94e8fb3635aac4b9a9ad8

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\r3rlaeja\CSC6D82890CD23D4E5EAF3757A80421AE6.TMP
              Filesize

              652B

              MD5

              75061783314895a23c766b097fe9b26a

              SHA1

              b15a3b1128ea62cb32cbfbb282dcdb1b4c2016d3

              SHA256

              e1b724ce25a79a2413a16e1c38193ba3212a2aa6b96adc3f111c04ea49ce73d8

              SHA512

              7751c105cb75dd2cd0be177d49961f6c02f38d2a38c012cd7eb79c08b60c21b22f193a0ba9adf2b9e9e72bf955a8d1e2d0903ee11a532819dd1ad290fd83f4ff

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\r3rlaeja\r3rlaeja.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\r3rlaeja\r3rlaeja.cmdline
              Filesize

              369B

              MD5

              1f524d8e367de2fc6be1f616888238e4

              SHA1

              995cc4b871238ee856484a2fe4f8368ce3b79e1d

              SHA256

              f81bc6e58083f386fff0ecb20b4f4b8969ee94d722d2c3c7de1cfc887bf883e5

              SHA512

              9b7c48f41c1ad0a462395590e84ebc0f18c2941a3974ceebd8f9c2700ad7f864bcff4470ea5a987efa297f7847e4cdb3a3867889af98af142758ddeaecf857d8

              Download Submit
            • memory/732-90-0x0000018C18330000-0x0000018C183D4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/732-91-0x0000018C183E0000-0x0000018C183E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/732-120-0x0000018C18330000-0x0000018C183D4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1552-101-0x0000013641F60000-0x0000013641F61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1552-119-0x0000013641EB0000-0x0000013641F54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1552-98-0x0000013641EB0000-0x0000013641F54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2540-60-0x0000000002810000-0x0000000002811000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2540-59-0x00000000087F0000-0x0000000008894000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2540-99-0x00000000087F0000-0x0000000008894000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2856-106-0x000001CC83660000-0x000001CC83661000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2856-118-0x000001CC835B0000-0x000001CC83654000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2856-105-0x000001CC835B0000-0x000001CC83654000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2932-1-0x0000000001480000-0x000000000148F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2932-11-0x0000000003160000-0x000000000316D000-memory.dmp
              Filesize

              52KB

              Download
            • memory/2932-5-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2932-0-0x0000000001470000-0x000000000147C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/3708-109-0x000002643FA20000-0x000002643FAC4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3708-73-0x000002643FA20000-0x000002643FAC4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3708-74-0x000002643FAD0000-0x000002643FAD1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4064-116-0x00000167C1980000-0x00000167C1A24000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4064-80-0x00000167C1940000-0x00000167C1941000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4064-79-0x00000167C1980000-0x00000167C1A24000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4424-70-0x00007FFB64300000-0x00007FFB64DC1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4424-27-0x000001629C8C0000-0x000001629C8D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4424-20-0x00000162B4EC0000-0x00000162B4EE2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4424-26-0x000001629C8C0000-0x000001629C8D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4424-71-0x00000162B5270000-0x00000162B52AD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/4424-25-0x00007FFB64300000-0x00007FFB64DC1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4424-55-0x00000162B5260000-0x00000162B5268000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4424-41-0x000001629CAA0000-0x000001629CAA8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4424-57-0x00000162B5270000-0x00000162B52AD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/4424-28-0x000001629C8C0000-0x000001629C8D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4924-85-0x0000015243240000-0x0000015243241000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4924-83-0x0000015243460000-0x0000015243504000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4924-117-0x0000015243460000-0x0000015243504000-memory.dmp
              Filesize

              656KB

              Download
            • memory/5060-107-0x0000000000BF0000-0x0000000000C88000-memory.dmp
              Filesize

              608KB

              Download
            • memory/5060-115-0x0000000000BF0000-0x0000000000C88000-memory.dmp
              Filesize

              608KB

              Download
            • memory/5060-112-0x0000000000560000-0x0000000000561000-memory.dmp
              Filesize

              4KB

              Download