Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    406KB

  • MD5

    2f5a00394c3568e91f6302dc6c8b196c

  • SHA1

    116f6ba99db4592f1ab5ccb1a734fdc5a52021bc

  • SHA256

    3a1211935c4bd148eb6fb23c40d4806ee5a488b09bd61b3c0d15a47dbbfe64fd

  • SHA512

    a30efa790e3ad7af4e574ef0bf359b6a91691947cf434ddcd30a228af29dea0a9b5c1daff050ecae6e88912e8f04813f1df9680e6fc896cee63e36476e4bbe36

  • SSDEEP

    12288:l1HmKzwKhZhZsuyOtldw5hbu5Ty7pySxN1t:bHGKhZzLQ5Wn6H

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3804
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:1912
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4024
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3660
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mfat='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mfat).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ydgiltpsjv -value gp; new-alias -name uwcqsq -value iex; uwcqsq ([System.Text.Encoding]::ASCII.GetString((ydgiltpsjv "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cf1dzey5\cf1dzey5.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4100
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F99.tmp" "c:\Users\Admin\AppData\Local\Temp\cf1dzey5\CSCD509E10B67544FA6B739E47ED1A01BC.TMP"
                5⤵
                  PID:1704
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ourpigx2\ourpigx2.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1496
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90C2.tmp" "c:\Users\Admin\AppData\Local\Temp\ourpigx2\CSC4753AF1A44B7477984EE675B6D90CA5C.TMP"
                  5⤵
                    PID:5048
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2684
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2160
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1684
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4208

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES8F99.tmp
              Filesize

              1KB

              MD5

              041a447ed7472a863b7a2790420caec8

              SHA1

              3ab077396278fe0aef09abc4e29554b419425070

              SHA256

              5e1c72c77d3b124e15e7393d58b8cfbd68fc80f908af3a0edabe94631c3a61e2

              SHA512

              bc015fc882d04b5e0e2bfdb60e9b9493c3f393502aeb39196f1f744113647456e774bcc89d4d4c9436946bfd1f98a25331e912c588a5531a8c8889d9fd01d228

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES90C2.tmp
              Filesize

              1KB

              MD5

              ff000e8e382c18849c7f85976f31082a

              SHA1

              424b10e0a4b876fe713f8a75af0e1b6d98c0a52c

              SHA256

              f35890e29a12ae2d1d6fd4a1703bde48a65145691554c89cb30db52b19ac7a1a

              SHA512

              682a44b012471c0b4c49a60b0db6f957c23999204b8d62a82dc9976af2db7728c5ab0f0f6ef2e4fe1a6b12026ae8b371668a37f5fa743bdad5e15ba0c6422f75

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ng0qrfs.csr.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cf1dzey5\cf1dzey5.dll
              Filesize

              3KB

              MD5

              cb83b142ecd44301e0b2372d33712245

              SHA1

              3757e6ddc2b4b6320607e6c79fdc31b7df4a1d3f

              SHA256

              b4ba23f44d05202b711bcea0f197623be214531b554b6ccd4a5c0d7b0f96e103

              SHA512

              2ca96ef9bf50c28deb27e49a52ae305f8c94192046c2aab4aeae0eb46a14a0650d1870ce2d587903457bc93a15fb5116a61cdc5eb058583499a489c5467c94a4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ourpigx2\ourpigx2.dll
              Filesize

              3KB

              MD5

              555b7d351cb66049cd16c3d5c703ca1a

              SHA1

              8827a88d18c5a29bf6c373f7f0f00a0d1deda2c8

              SHA256

              18d9453e2e182e00ae438d9cc60916c92f357dda6dd8e7d5742521e4abddbf6a

              SHA512

              7c5b0a295a2b72e131f63bb182d0a4807ce4610d5edafa3af4e16237e45ba4f5ffe58a085d77c19ce5525f09c262de3c6f0b935208165838689c969ffe2a3e6a

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cf1dzey5\CSCD509E10B67544FA6B739E47ED1A01BC.TMP
              Filesize

              652B

              MD5

              b84d6282c30519fe1b08542dcd45b417

              SHA1

              eec2baaa60cec2d6bd74b46397e6bc8877c241fa

              SHA256

              d4b735bd5b9056ca37c889a9ed52dea552e70cdab314c97e851615ff7f4a72a7

              SHA512

              d7781a6ef4f9860811b6e6410b4d3d626321db8674746a66784c500292c5986a97727ed89959b44bfc8e5b3918fff44faf4dcca795d264adf210cf3c6b4d882a

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cf1dzey5\cf1dzey5.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cf1dzey5\cf1dzey5.cmdline
              Filesize

              369B

              MD5

              1ec606afc89e073e64b76e7fad6d8f5f

              SHA1

              3cb58e4c17640d9fb2d0c50db5cbdc370de53958

              SHA256

              e192d13a6fdc943fb36de79e003d6f7b5669cbed2bc81e5d18fb9924c00330b7

              SHA512

              84dc6cc764c68798da82f899679bdbf93d73a6e57f3322aa04555eb48f368428cd9d1057da4e0197a65786c45d714e79edbb663d0e03090d4a6f02c5a1f7dadb

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\ourpigx2\CSC4753AF1A44B7477984EE675B6D90CA5C.TMP
              Filesize

              652B

              MD5

              0222594ba83a64e89539ff24a41bea3b

              SHA1

              0407059660213a55426705fd0a44055722c076a1

              SHA256

              9035bce6a97cf78da5a9d58fad4f3eb24143a3ce0665fe0e9b3a21e34f0d8955

              SHA512

              f2960c2de781df223a819f7d423f42fc8ab2ad8e4a474d831806edf0342376a848604beaa03f7fc144bf8d46eded1ef73717a6ca91e68efbb6fa52757dd6c8ea

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\ourpigx2\ourpigx2.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\ourpigx2\ourpigx2.cmdline
              Filesize

              369B

              MD5

              66696f9b2d6b62e0d8519cdca673e788

              SHA1

              0083bd3dada5f1bcfdaac0d32991c25f564c042a

              SHA256

              19815298900760ee3aff460934f1d897cc19c5d0e38fae58c489189f2968f147

              SHA512

              da116f359a485f9e767f6c86cc373b975337320f04709153ab205f09268b2b706835e433dd4c28ea1b52cd06d35ef097eff5d9458f33a3b963d95dfa5f154591

              Download Submit

            • memory/1684-108-0x0000000000930000-0x00000000009C8000-memory.dmp

              Filesize

              608KB

              Download

            • memory/1684-106-0x00000000008D0000-0x00000000008D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1684-103-0x0000000000930000-0x00000000009C8000-memory.dmp

              Filesize

              608KB

              Download

            • memory/1912-117-0x0000025F869C0000-0x0000025F86A64000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1912-85-0x0000025F847D0000-0x0000025F847D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1912-84-0x0000025F869C0000-0x0000025F86A64000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2160-111-0x000001A6F9470000-0x000001A6F9471000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-110-0x000001A6F93C0000-0x000001A6F9464000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2160-118-0x000001A6F93C0000-0x000001A6F9464000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2684-100-0x000001D84AB10000-0x000001D84AB11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2684-119-0x000001D84AA60000-0x000001D84AB04000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2684-97-0x000001D84AA60000-0x000001D84AB04000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2916-20-0x00000288EFAB0000-0x00000288EFAD2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2916-54-0x00000288EFED0000-0x00000288EFED8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2916-70-0x00000288F0130000-0x00000288F016D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2916-26-0x00000288EFB30000-0x00000288EFB40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2916-56-0x00000288F0130000-0x00000288F016D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2916-27-0x00000288EFB30000-0x00000288EFB40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2916-25-0x00007FFB72F10000-0x00007FFB739D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2916-69-0x00007FFB72F10000-0x00007FFB739D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2916-40-0x00000288EFAA0000-0x00000288EFAA8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3188-58-0x0000000008980000-0x0000000008A24000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3188-98-0x0000000008980000-0x0000000008A24000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3188-59-0x0000000002C20000-0x0000000002C21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3660-11-0x0000000003100000-0x000000000310D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/3660-5-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/3660-0-0x0000000002F80000-0x0000000002F8C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3660-1-0x0000000002F90000-0x0000000002F9F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/3804-73-0x0000021B5F9B0000-0x0000021B5F9B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3804-113-0x0000021B5FB30000-0x0000021B5FBD4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3804-72-0x0000021B5FB30000-0x0000021B5FBD4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4024-116-0x000001BEDAA20000-0x000001BEDAAC4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4024-79-0x000001BEDA9E0000-0x000001BEDA9E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4024-77-0x000001BEDAA20000-0x000001BEDAAC4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4208-90-0x000001C6D3A20000-0x000001C6D3A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4208-89-0x000001C6D3F40000-0x000001C6D3FE4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4208-120-0x000001C6D3F40000-0x000001C6D3FE4000-memory.dmp

              Filesize

              656KB

              Download