Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    406KB

  • MD5

    2f5a00394c3568e91f6302dc6c8b196c

  • SHA1

    116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

  • SHA256

    3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

  • SHA512

    a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36

  • SSDEEP

    12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3796
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\system32\control.exe
        C:\Windows\system32\control.exe -h
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
          4⤵
            PID:1124
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>S7r5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(S7r5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bgmxmujvua -value gp; new-alias -name pfseee -value iex; pfseee ([System.Text.Encoding]::ASCII.GetString((bgmxmujvua "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4164
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2vqmhp3\a2vqmhp3.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FE5.tmp" "c:\Users\Admin\AppData\Local\Temp\a2vqmhp3\CSC9DBE3E73ADC2436985DEBB66A598991D.TMP"
              5⤵
                PID:4140
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a1kiw4jr\a1kiw4jr.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2472
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA090.tmp" "c:\Users\Admin\AppData\Local\Temp\a1kiw4jr\CSC7CC3C4DD5A704F77A53B68C08C2DC73.TMP"
                5⤵
                  PID:4864
          • C:\Windows\syswow64\cmd.exe
            "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
            2⤵
              PID:4336
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4728
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:4088
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:1184

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES9FE5.tmp
                Filesize

                1KB

                MD5

                a53191c6655676f71f83214eb781517e

                SHA1

                59d41ab1211e66a8f69a933e24dd573154fe47dc

                SHA256

                e5aec00ddf6a2d7aa9199d33113a52298e4121e85a5c1b0bc07d65a1e017a402

                SHA512

                f3d7cba61f99767690d1e8c8820ecffd15dbba28aa96825b7f67a934f623bb3a5ce0e905e5b9fa884afacdf9fe0039ae36f4afb76daae4a49fa862744e5e31b7

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESA090.tmp
                Filesize

                1KB

                MD5

                ff3e30669a6fb966a6d0c8ed05398e66

                SHA1

                84ac213919711d4a0ba5c2f6ce5082102ca99290

                SHA256

                f42d9f8f7c6f3352b4554b15182b322daf30f4a9f53d7ca6c6381f0b68aaa360

                SHA512

                3035355faa726e0f842271fb901790479acdc31af6db8247194e1d740a08bc2d34fa5c30055120431a0acadfd607f5009bc9e50b23235829eaf8f9e951199d1f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvjnpux0.luq.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\a1kiw4jr\a1kiw4jr.dll
                Filesize

                3KB

                MD5

                974d2752a9cefdd29d5840a955ef866a

                SHA1

                114828a32b9071295a323cc8280097c29205d862

                SHA256

                45708284c999cddbd08770c9a2534adfd83d16413729fb4b9cf0cc97d5bfc28f

                SHA512

                af9fb2ef3b20d12e0b41f021e219c38a5cfdb459b860e1f63400295b0ae71d494d572f379432887fab770c42b323788a0469bde4ad654675f5ecd1056f5aa3f0

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\a2vqmhp3\a2vqmhp3.dll
                Filesize

                3KB

                MD5

                3e88778000023df252ec78e9bacd3f3d

                SHA1

                39cc37830123d037c1db961256add1e6be0c259d

                SHA256

                a204d4a2ce3032264e730b50ccce46b2239687e568091969f1b8dc4bf5398691

                SHA512

                e6f73ab8f6e5ebe6f6bf69b9622c598650877a1fcf75b13aee50486ddbaaa415f724a2a11eea5af213750fced74a0c0057d9137d7d13339d688d8a07a093dfa3

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a1kiw4jr\CSC7CC3C4DD5A704F77A53B68C08C2DC73.TMP
                Filesize

                652B

                MD5

                6807a8875199b231f6d465e798320406

                SHA1

                cfa94f93d9ce9cf5342cd26c3168fce58388120e

                SHA256

                b2f4b570a939903844c3a9bcd118c2048075e3a7c08937d2b4bf6306e2050a45

                SHA512

                0466df5014949dd0774cc8af81838b629908e2d7eb8d125850f371dee10c33b8e89f336036a6fbe8d073c767999dc8d64157c6e31d33894c106e45450f628536

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a1kiw4jr\a1kiw4jr.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a1kiw4jr\a1kiw4jr.cmdline
                Filesize

                369B

                MD5

                a40c3861f186fe1df431c347243f8445

                SHA1

                63039c6fd9a8ecbeba61b6a449dfdfddd88f6563

                SHA256

                5a89704f643ce64e9d1ff0ed3f63dfddbbe1f69b637669fe8b70269656ac977a

                SHA512

                961ca50346354a7526a7a29d4c04f95d77c3d36071909027017a5e67901770e2811e0f4390ca8b66a4899defd4380e0bda1fbf43a0ef9657868fc70e06a37c7c

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a2vqmhp3\CSC9DBE3E73ADC2436985DEBB66A598991D.TMP
                Filesize

                652B

                MD5

                c61b0950a993f6e126f2285ebaf7c4e0

                SHA1

                4a8ecafa9347ea8469c46a2d11771330643b9cc0

                SHA256

                6143baaa8a542fce9ba00bee48cda526696b516cb4a287e21de6e2616f92105b

                SHA512

                9f8ecf312c273de0856a2bb1e87c09a987069d79c64c9840f5e8f0f61415183d38ec249cb41b722985ec9ce6f280dbc1221b43d1ed793aaa9e74e787acdaedec

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a2vqmhp3\a2vqmhp3.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\a2vqmhp3\a2vqmhp3.cmdline
                Filesize

                369B

                MD5

                201c2e5714cef15c9d991360af37c743

                SHA1

                f937edf34ed57be195a4b65972870ff9acd68627

                SHA256

                f3d5124222e00e09617666dd132070d05722cd8852c38a154e63c2f8b49580e7

                SHA512

                32b9428bad3f9aa86d6ee635d7ef9cf5c1b66cebdd373c26b2f0d2335efa7674f45361474edb86c2257f5ff31758caa81c14840472bdeb886bbd13bd78cdc93d

                Download Submit
              • memory/1124-34-0x00000211A2230000-0x00000211A22D4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1124-38-0x00000211A2230000-0x00000211A22D4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1184-67-0x00000224D91E0000-0x00000224D91E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1184-59-0x00000224D9670000-0x00000224D9714000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1184-68-0x00000224D9670000-0x00000224D9714000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1632-39-0x0000000000A70000-0x0000000000B14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1632-26-0x0000000000A70000-0x0000000000B14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1632-24-0x0000000000B20000-0x0000000000B21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1632-20-0x0000000000A70000-0x0000000000B14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3228-98-0x00000000085F0000-0x0000000008694000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3228-28-0x00000000085F0000-0x0000000008694000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3228-29-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3796-69-0x000001DB747B0000-0x000001DB747B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3796-70-0x000001DB74700000-0x000001DB747A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3796-44-0x000001DB74700000-0x000001DB747A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3936-1-0x00000000023E0000-0x00000000023EF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/3936-0-0x00000000023D0000-0x00000000023DC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/3936-5-0x00000000023F0000-0x00000000023FF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/3936-11-0x0000000002470000-0x000000000247D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/3936-14-0x00000000023B0000-0x00000000023C3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/4088-64-0x00000190663E0000-0x0000019066484000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4088-63-0x00000190663A0000-0x00000190663A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-49-0x00000190663E0000-0x0000019066484000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4164-106-0x0000022E50C90000-0x0000022E50C98000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4164-120-0x0000022E50CB0000-0x0000022E50CB8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4164-89-0x0000022E38480000-0x0000022E38490000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4164-91-0x0000022E38480000-0x0000022E38490000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4164-88-0x00007FFF53040000-0x00007FFF53B01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4164-78-0x0000022E50B20000-0x0000022E50B42000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4164-90-0x0000022E38480000-0x0000022E38490000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4164-125-0x00007FFF53040000-0x00007FFF53B01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4164-123-0x0000022E50CC0000-0x0000022E50CFD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4336-73-0x0000000000E50000-0x0000000000EE8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4336-74-0x0000000000F00000-0x0000000000F01000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4336-77-0x0000000000E50000-0x0000000000EE8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4728-54-0x000002C226420000-0x000002C2264C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4728-65-0x000002C225BC0000-0x000002C225BC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4728-66-0x000002C226420000-0x000002C2264C4000-memory.dmp
                Filesize

                656KB

                Download