Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    287KB

  • MD5

    bbf59fbbb9de660e113d82597c289cff

  • SHA1

    85e3f40d8e5e5b93ef0e45e3cb5eec9dd19685be

  • SHA256

    26dc3b58f57bf1d28e20374fcc13c33f3bc75bd753cf19afb617101f403f7b81

  • SHA512

    8310447870f5de4ae575306391295f205d8ec0e3295f30e8b79e6d65a4e85ad408b0d07859e1c30294c843e5d23ca324d24fb20fe9ddb299dc4ad47d6a24cbfa

  • SSDEEP

    3072:j6ya4jStntwsx48m71HMmJn0iZw6vK1ZRQxAgaX6wwrz+UTaBgfUd0:Q4gtTm7+mJnNZfK1ZRHRoJ

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3748
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4908
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4008
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4200
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Emvg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Emvg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fgoejwqgm -value gp; new-alias -name xtnccwuudo -value iex; xtnccwuudo ([System.Text.Encoding]::ASCII.GetString((fgoejwqgm "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3272
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgxeph1t\mgxeph1t.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5096
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C6A.tmp" "c:\Users\Admin\AppData\Local\Temp\mgxeph1t\CSC8A09B8E8A1FB45F69E425666B8368F4.TMP"
                5⤵
                  PID:4288
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gm4km1uu\gm4km1uu.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DC2.tmp" "c:\Users\Admin\AppData\Local\Temp\gm4km1uu\CSCD87FD8C0438A4C6CAEC5762EE23D8BE2.TMP"
                  5⤵
                    PID:1212
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:940
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3248
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4672
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:520

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES9C6A.tmp
              Filesize

              1KB

              MD5

              478e52276871546f842e22d3e30efc64

              SHA1

              3e8155928f64c8717579542241b4cab7c415b9d1

              SHA256

              55fcf3a4e961b653722259a2dcbd65e314c92e49a0b74dc0ef23ddbb715834dd

              SHA512

              3325590210b6bb0b6156446ad4a4cad5aff3dd45213b82ad817bd29c440936b53517bc8bc929d7fbac1309cac6b53dcc916792751d8ffb7cd26c4da17dc4d5a5

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RES9DC2.tmp
              Filesize

              1KB

              MD5

              528aa4de46da40b63b6e365b224c7dc7

              SHA1

              b01b199d8b0b1d4ef0c42b8fc79e46121ef4b3ee

              SHA256

              17d7bedb062179f4efb86ec59573108768bf50ff4bccf2fde4e32d804f9b0e93

              SHA512

              73fd6e43942b2bc629384dc2e7592b3bf22ba92176b69e205b211c57317361510aeee924694ed1a074277149060fabe40a07a721e77a2c85a158fd69626d4826

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3qovt4t.pc4.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\gm4km1uu\gm4km1uu.dll
              Filesize

              3KB

              MD5

              2e135c43a1aaf5cfae7e3f3b157097a8

              SHA1

              76c981ab0e665c5c07c5a66de296c97ba7933186

              SHA256

              f02dd191934d65eef8053a07aa6c67f66a187fcc9ce1a9949691af84e7ee3363

              SHA512

              5486ddc45e73da97702f7805701949ff2284e1e46bb768cc7448ee12e2258fae81ce8604762a841911a1a4596b6b61390add34ca15fc0da05fea9715da16b517

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\mgxeph1t\mgxeph1t.dll
              Filesize

              3KB

              MD5

              2baa5e6438b2bb6ff3bf0074393f6bf1

              SHA1

              984ce182d3ca4da6b6e6841f2b6fd2e42b44d323

              SHA256

              b1a0d44774877ea893d2cfd557dc2f4867c042636abf8b22d548313097ebf966

              SHA512

              481784e5602f7c2c04c847607f4aaf9fbfa8a22047b2b89bf2fc703edcd0a29d5cd1b4df8d8fc2aadaad2c6381de8bfdc879064912e01ec6cb19e82baf96aca4

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\gm4km1uu\CSCD87FD8C0438A4C6CAEC5762EE23D8BE2.TMP
              Filesize

              652B

              MD5

              cbce5999b2b7c483392832d60002f39a

              SHA1

              b3ede57822b8cc2e4c763a01345aefc2d6305582

              SHA256

              71ba47ef94f7c9b4160be8962cc4817f998aceff7d1826f850d0b7dbdf4bbc50

              SHA512

              5a376a70b86678e4edb5cdc49fa8d37a8fcd47d222c064624fb46dfd7d7d43c2de6d14d18707c2c45aaf9b7fb4b92e99214d45171cdb3aa9357cc3a50dde0b6f

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\gm4km1uu\gm4km1uu.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\gm4km1uu\gm4km1uu.cmdline
              Filesize

              369B

              MD5

              0f5bc683853cab71d34d52af17b7257e

              SHA1

              00ab0a8eabe4a0ae8ac0ae607730df229daff709

              SHA256

              43fda8b54363eb2c768645dddd8c8cd705e551464af8d88a0acfbb5a4a3257e8

              SHA512

              dac9a1c4e1ad0c31bff68b8a7eaa03f3ebc2734951995d41fb6faeed1ced0ff49697e6406ae843a0b16a3657a2dd030c34eb9b4ec0e18a48c974fc381bf34864

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\mgxeph1t\CSC8A09B8E8A1FB45F69E425666B8368F4.TMP
              Filesize

              652B

              MD5

              4a9b4973a54e3ec43c595362d0393172

              SHA1

              edf434f3e193754686ac34cc981d39b31755793b

              SHA256

              4d7dc66ae663af4b121dc248eb48c1ef79301047ba73b6cb27a836910fd5ac51

              SHA512

              0754a3f6d715bd7f5e20c9545ec61a176eb56e298d11c7b7a35f5f4f0c9e8b1f9ef39b140dba575122c8961d6970031c4e93dd36a7d89e9a5a943ab1038b0103

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\mgxeph1t\mgxeph1t.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\mgxeph1t\mgxeph1t.cmdline
              Filesize

              369B

              MD5

              ff7c6bb9e837f503584faec9fccbf0dc

              SHA1

              a50e267dd3e579a15c37164d8f8859f0aaf98d4a

              SHA256

              022606039c0c9560ec51da547b4aa2d52438a89c854bd6448b13565f92b02e29

              SHA512

              156e35fe8fdb53ca73817a4b2baa19fdb4249c37ba8c795aa544f0cefdb8487724e97872745a2984ae8ab32cd49d35f70a24200785936dc3944c56370b4f0c3c

              Download Submit
            • memory/520-98-0x000002D238000000-0x000002D2380A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/520-99-0x000002D237D60000-0x000002D237D61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/520-126-0x000002D238000000-0x000002D2380A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/772-104-0x0000000008F60000-0x0000000009004000-memory.dmp
              Filesize

              656KB

              Download
            • memory/772-66-0x0000000002A50000-0x0000000002A51000-memory.dmp
              Filesize

              4KB

              Download
            • memory/772-65-0x0000000008F60000-0x0000000009004000-memory.dmp
              Filesize

              656KB

              Download
            • memory/940-128-0x0000023D7ACB0000-0x0000023D7AD54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/940-106-0x0000023D7AB70000-0x0000023D7AB71000-memory.dmp
              Filesize

              4KB

              Download
            • memory/940-103-0x0000023D7ACB0000-0x0000023D7AD54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3248-112-0x000001D95B250000-0x000001D95B2F4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3248-113-0x000001D95B0F0000-0x000001D95B0F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3248-127-0x000001D95B250000-0x000001D95B2F4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3272-27-0x00007FFE43240000-0x00007FFE43D01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3272-77-0x00000205CDE30000-0x00000205CDE6D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/3272-62-0x00000205B5370000-0x00000205B5380000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3272-63-0x00000205CDE30000-0x00000205CDE6D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/3272-22-0x00000205CDA80000-0x00000205CDAA2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3272-28-0x00000205B5370000-0x00000205B5380000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3272-76-0x00007FFE43240000-0x00007FFE43D01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3272-60-0x00000205CDE20000-0x00000205CDE28000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3272-44-0x00000205B5370000-0x00000205B5380000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3272-36-0x00007FFE43240000-0x00007FFE43D01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3272-43-0x00000205B5370000-0x00000205B5380000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3272-29-0x00000205B5370000-0x00000205B5380000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3272-46-0x00000205B53E0000-0x00000205B53E8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/3748-115-0x0000020E39500000-0x0000020E395A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3748-80-0x0000020E395B0000-0x0000020E395B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3748-79-0x0000020E39500000-0x0000020E395A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4008-85-0x000001ECC25D0000-0x000001ECC2674000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4008-119-0x000001ECC25D0000-0x000001ECC2674000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4008-86-0x000001ECC2590000-0x000001ECC2591000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4200-0-0x0000000000B80000-0x0000000000B8F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4200-5-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4200-11-0x0000000000BB0000-0x0000000000BBD000-memory.dmp
              Filesize

              52KB

              Download
            • memory/4200-1-0x0000000000B70000-0x0000000000B7C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4200-14-0x0000000000B50000-0x0000000000B63000-memory.dmp
              Filesize

              76KB

              Download
            • memory/4672-117-0x0000000000AF0000-0x0000000000B88000-memory.dmp
              Filesize

              608KB

              Download
            • memory/4672-121-0x00000000009C0000-0x00000000009C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4672-123-0x0000000000AF0000-0x0000000000B88000-memory.dmp
              Filesize

              608KB

              Download
            • memory/4908-92-0x000001FB3B1A0000-0x000001FB3B1A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4908-125-0x000001FB3B9F0000-0x000001FB3BA94000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4908-91-0x000001FB3B9F0000-0x000001FB3BA94000-memory.dmp
              Filesize

              656KB

              Download