Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    422KB

  • MD5

    c788f8e7a2d0311297bd198ca9d05ec8

  • SHA1

    64240992ba99ae27b0bb4fe277a95524a4b139db

  • SHA256

    bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

  • SHA512

    2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d

  • SSDEEP

    6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3816
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4688
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4024
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\system32\control.exe
            C:\Windows\system32\control.exe -h
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
              4⤵
                PID:4772
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "about:<hta:application><script>F5h1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F5h1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
            2⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3288
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kpfirkje -value gp; new-alias -name ygtibclecg -value iex; ygtibclecg ([System.Text.Encoding]::ASCII.GetString((kpfirkje "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2408
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o23l1t40\o23l1t40.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3892
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA776.tmp" "c:\Users\Admin\AppData\Local\Temp\o23l1t40\CSC2BD219D293884B2F8F52826CECA0599D.TMP"
                  5⤵
                    PID:1384
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhy23csa\fhy23csa.cmdline"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2384
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA812.tmp" "c:\Users\Admin\AppData\Local\Temp\fhy23csa\CSC6B16921CA7154E9DA9674ED6667AA5B2.TMP"
                    5⤵
                      PID:4364
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:3868
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:4892

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RESA776.tmp
                Filesize

                1KB

                MD5

                d93091489802ad762dc4428475c0119a

                SHA1

                5f133617c3f63162ae050b48d2fea465ddb54360

                SHA256

                ae689757474a34866ed38eb5b1e03b389ec01f6d8131c42579fa6654a53d36fe

                SHA512

                dbc1c78963b3c2c94d329073d53b90fd901de30c695bac36a2bcb19757895ea47822a11b0809b6913fa2e42c74b469010822e2cb1919c20a0ef5b4994b5402e6

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5wub2jnx.3nk.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\fhy23csa\fhy23csa.dll
                Filesize

                3KB

                MD5

                ef55a4d1a1375982820c22e8d1a66eb4

                SHA1

                ac519f4443e06bda42c5bb3a3cfe18b665206a11

                SHA256

                19820e77b3a2b6c0fb48ab4f3c4f307b74010eec14fe39c3b1a40c0eb637589c

                SHA512

                9728309be85432cd747d594039ce193ab974d0610448345d527da67dc3070a190c0c5ad451a8e1f30574fd4f6cc35ce82749e5777645e02cbaaae48eab0b3131

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\o23l1t40\o23l1t40.dll
                Filesize

                3KB

                MD5

                264ce29649f85eb4d00f4b4f772249be

                SHA1

                4d643842132ba33891b301321107247c204f85d0

                SHA256

                cefee2a0bb46725396cd6642afc675a47ff41d1cdefbea19aad69041e8a1220c

                SHA512

                22bf337cb8befce29d5740c8e31d841794b16ea2555263b394340f8f056cdc1d092407ecda375f845b1382ffcc433bc1f3cbfe29c5cc2ead0656fbea264a7034

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\fhy23csa\fhy23csa.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\fhy23csa\fhy23csa.cmdline
                Filesize

                369B

                MD5

                2d015b722d53f1f7c64f305aa9491f32

                SHA1

                56514a10adbfaf0b55dc9993083add6895bfe55e

                SHA256

                446f69acde53ec38d61de34e1cb46e3dd96cdcf0416e9fb31861209f4bffa1a8

                SHA512

                fcf4006ceb7d1dc03a0a46ec29919ee86db7921700843ec061905a57a4ea264e2040cbae093a81768b60ccba7f6ec2aa3e57591ac35e94cac64e198104e0f1de

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\o23l1t40\CSC2BD219D293884B2F8F52826CECA0599D.TMP
                Filesize

                652B

                MD5

                38e6326ebf68a27666e1603c469942de

                SHA1

                e80511038e4a9a7fe00b6c48dec12d80190ca56d

                SHA256

                7001124d59995be8a09afb5d3627570625d6d5521d433c935593332f7b366962

                SHA512

                b3b76f0afba51c3c952767a2a1014578faa1b00d3040c8d5bca04b3113a1091d303324071e5e4c564ba8ab6f01e820e6ea2effe44a653421a756e46328986635

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\o23l1t40\o23l1t40.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\o23l1t40\o23l1t40.cmdline
                Filesize

                369B

                MD5

                d2d4024ad56d70f3cac58e78543b9a9e

                SHA1

                b1f653ffb65c54bcc079f4803ba6f12423cf5911

                SHA256

                64a004c9a54149f604bf5220ef674873efe9c163f8c31186bab16bdd3c6ef040

                SHA512

                ff57042e9217add1245a5dfc90e2dcbe26f875ea5f41b4daf538a58f950e05844a44bb37223907ff6223711b2975702f49429c4fc8aafc634ec988fca4e3f11d

                Download Submit
              • memory/2100-11-0x0000000000FC0000-0x0000000000FCD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/2100-1-0x00000000009E0000-0x00000000009EC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/2100-5-0x0000000000F40000-0x0000000000F4F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/2100-0-0x0000000000F30000-0x0000000000F3F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/2408-29-0x000001AF28810000-0x000001AF28820000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2408-78-0x000001AF28800000-0x000001AF28808000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2408-109-0x000001AF28990000-0x000001AF289CD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/2408-30-0x000001AF28810000-0x000001AF28820000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2408-108-0x00007FFD55D80000-0x00007FFD56841000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2408-28-0x00007FFD55D80000-0x00007FFD56841000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2408-49-0x000001AF10320000-0x000001AF10328000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2408-27-0x000001AF28810000-0x000001AF28820000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2408-26-0x000001AF28810000-0x000001AF28820000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2408-105-0x000001AF28990000-0x000001AF289CD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/2408-24-0x000001AF28920000-0x000001AF28942000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2408-25-0x00007FFD55D80000-0x00007FFD56841000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3180-62-0x0000000002A00000-0x0000000002A01000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3180-61-0x0000000008EA0000-0x0000000008F44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3180-94-0x0000000008EA0000-0x0000000008F44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3728-73-0x0000000000840000-0x00000000008E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3728-38-0x00000000008F0000-0x00000000008F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3728-37-0x0000000000840000-0x00000000008E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3816-81-0x00000209D9C20000-0x00000209D9CC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3816-82-0x00000209D8DA0000-0x00000209D8DA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3816-110-0x00000209D9C20000-0x00000209D9CC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3868-115-0x0000000001190000-0x0000000001191000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3868-119-0x0000000001320000-0x00000000013B8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3868-114-0x0000000001320000-0x00000000013B8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4024-88-0x0000024CB3A60000-0x0000024CB3A61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4024-112-0x0000024CB3AA0000-0x0000024CB3B44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4024-87-0x0000024CB3AA0000-0x0000024CB3B44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4688-113-0x0000023E69700000-0x0000023E697A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4688-96-0x0000023E68FB0000-0x0000023E68FB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4688-93-0x0000023E69700000-0x0000023E697A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4772-68-0x000002401B1F0000-0x000002401B1F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4772-72-0x000002401B220000-0x000002401B2C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4772-67-0x000002401B220000-0x000002401B2C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4892-101-0x0000020571580000-0x0000020571581000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4892-100-0x00000205714D0000-0x0000020571574000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4892-117-0x00000205714D0000-0x0000020571574000-memory.dmp
                Filesize

                656KB

                Download