Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    181KB

  • MD5

    e54d9f8d9757fe6eead98ab59bd59ffa

  • SHA1

    60c8766682b968d9367f9099378f2c9f0ed07278

  • SHA256

    64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

  • SHA512

    b362675e7c21b0336ed5844ed453334bd93257ea6901fed5b532d06db54ad775c33c17c753414f34c8c9117ce38cc072a4b59deeb7add1ea76b63183948f511e

  • SSDEEP

    3072:+gZW8+P3NtOTH8CG95Ja4tXybaVLbPkxAgaX6wwzCqIg9:+SWfPLOL85hlVfjRSIg9

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\system32\control.exe
        C:\Windows\system32\control.exe -h
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
          4⤵
            PID:3308
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bklg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bklg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rvgsdlfyg -value gp; new-alias -name edenxet -value iex; edenxet ([System.Text.Encoding]::ASCII.GetString((rvgsdlfyg "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hoi1u3ur\hoi1u3ur.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:412
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1325.tmp" "c:\Users\Admin\AppData\Local\Temp\hoi1u3ur\CSC1ED04C0686A84055ACDD37CC5A86EC65.TMP"
              5⤵
                PID:4076
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q5n5bij3\q5n5bij3.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2324
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28D0.tmp" "c:\Users\Admin\AppData\Local\Temp\q5n5bij3\CSCC672AC686F164B3CA4478C2D381F253.TMP"
                5⤵
                  PID:2840
          • C:\Windows\syswow64\cmd.exe
            "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
            2⤵
              PID:4108
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3656
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3908
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:2112
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                  • Modifies registry class
                  PID:1064

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RES1325.tmp
                  Filesize

                  1KB

                  MD5

                  42236e465c9e886e03ce54823fa7c90b

                  SHA1

                  fc60bf1642a5bbc876ecdf1c038c9b8612733448

                  SHA256

                  7c9c2e5820e090d06a6b47608602d7d18997c58181d32b9d0be3d761da3d3aee

                  SHA512

                  a20f11aaf1ae2e4576a88c43f9320a2a772d36bb36d3cc87778285217b4bc5630ddda26d549b09a0f6a2b1872fec573001f6b73317605986eb2f4e199c28dbed

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\RES28D0.tmp
                  Filesize

                  1KB

                  MD5

                  0e4ce6dc97d3c34cd90a58b86efe2df2

                  SHA1

                  8648d9bfdb5fe808c93017bcb99d31de935e9ac2

                  SHA256

                  2d7ad0be8afbd0a3a29287c29f4211361d0fc38804d0de2badd05ce9ce592ed1

                  SHA512

                  3583eaa081237477f2d0e9c52fbd05ef23c4b8314995ec48be527eae3e65a022588537455585e11523c93dbb1e1b8a3858834ed985147276c0f016cf51bbfba2

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1m0d2voz.pgh.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\hoi1u3ur\hoi1u3ur.dll
                  Filesize

                  3KB

                  MD5

                  f866a2d0f45dc9c6b4c4b4b47579cc95

                  SHA1

                  d16ee0ba8001722faad7feb4e62a28c81e6d29bf

                  SHA256

                  40a4cc5e09b566cc80e95ff356ec87c431e59ed04e513d5b0c36e5f7e1ae9eca

                  SHA512

                  02cc0c0678530a43e920f49e3673e152b388fe10e505075d2da48d934a69c7c33b7897887085256e4a8b82d8ed94c8c20f2a887638d80cf8ef48fab10f442515

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\q5n5bij3\q5n5bij3.dll
                  Filesize

                  3KB

                  MD5

                  ec5bbed7f5c5a30ad4c2e1a51e7081be

                  SHA1

                  cb8b838335099c3676c94840bef3b2d3f19d3340

                  SHA256

                  1098e3fe26cd3f35fc217201add4a0cea523d0b72437fa181dae770c9e546861

                  SHA512

                  b972c29c8988411c112c4aeb9df218a6f67a5242ab100448ecf7bd959b1918546d3c5930ee055ebcab1c4c02f36fb66622b60be5c4b2895250c87aa2904e6c1d

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\hoi1u3ur\CSC1ED04C0686A84055ACDD37CC5A86EC65.TMP
                  Filesize

                  652B

                  MD5

                  9723ba2a28feec7bb681bef1838cfed5

                  SHA1

                  a5f5f0b1ef059725e56f620eac69a3bd877900dc

                  SHA256

                  5e2e099ba777784879614cf6bb21ac95a1cf51511ecd7af100d466fce3d1e526

                  SHA512

                  6c12524e26fc5a10662986a4a774cc69c9af7a5b55b708b7ff94ff1aad171d67c101bd541fc222597e6048f17ca0ae86c08a7790e09846c3520e19689a4cec25

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\hoi1u3ur\hoi1u3ur.0.cs
                  Filesize

                  405B

                  MD5

                  caed0b2e2cebaecd1db50994e0c15272

                  SHA1

                  5dfac9382598e0ad2e700de4f833de155c9c65fa

                  SHA256

                  21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                  SHA512

                  86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\hoi1u3ur\hoi1u3ur.cmdline
                  Filesize

                  369B

                  MD5

                  41aec3f66f57eadda273a26a4dedec68

                  SHA1

                  82672c778a4a9c3c9e197c095a8827f5a4e67ba3

                  SHA256

                  b691ff76f3d7ea16c139bc302228120107b075deec7a65a41d508d36f6a94f8f

                  SHA512

                  a0b0dc5ac636d59c5becf281530e697ba47a48012a7887cf3fd1310055e2f92b7b6ec371915687d67d54a8f564ef2b792feede6c65a2b160bd4ab2e0e68dfd1e

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\q5n5bij3\CSCC672AC686F164B3CA4478C2D381F253.TMP
                  Filesize

                  652B

                  MD5

                  b90938957e989f300f5a7766cfd840e8

                  SHA1

                  8674eb639989cd5459dba86ac7eac5926062ca5c

                  SHA256

                  91d63a23c76d99f6513c8abdf6fad454969578567d0a9316819759a7e70cbe1c

                  SHA512

                  0678949352c73fb5aac1571586103ea54bf4cb15bc9d0911e9ad78ba644daf5e4e42ed5604f38d62e0a99ca794d29e1d3465e266b5e6a2b24c2ebafd3c478e0a

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\q5n5bij3\q5n5bij3.0.cs
                  Filesize

                  406B

                  MD5

                  ca8887eacd573690830f71efaf282712

                  SHA1

                  0acd4f49fc8cf6372950792402ec3aeb68569ef8

                  SHA256

                  568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                  SHA512

                  2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\q5n5bij3\q5n5bij3.cmdline
                  Filesize

                  369B

                  MD5

                  31dce7e6ce9ccecaa4eb67dba3e2ae7b

                  SHA1

                  836afb49070ed6dbf812d42c7730678d281b2cfc

                  SHA256

                  0144ee3597e4912de2f2c5c5c18f2bc26afdd0360af47e956c7bb86f4d230111

                  SHA512

                  b010ee43ad1133010781d5bd85ed57dea2a9222a08c1a97809a512bd44a9d81bdbc4adf166cc57757cb8c5275b4e3f4587789b2405d99874c24c27e6b5a35b8e

                  Download Submit
                • memory/432-5-0x0000000000400000-0x000000000040F000-memory.dmp
                  Filesize

                  60KB

                  Download
                • memory/432-1-0x0000000000C90000-0x0000000000C9F000-memory.dmp
                  Filesize

                  60KB

                  Download
                • memory/432-11-0x0000000000D10000-0x0000000000D1D000-memory.dmp
                  Filesize

                  52KB

                  Download
                • memory/432-0-0x0000000000C80000-0x0000000000C8C000-memory.dmp
                  Filesize

                  48KB

                  Download
                • memory/432-14-0x0000000000B50000-0x0000000000B63000-memory.dmp
                  Filesize

                  76KB

                  Download
                • memory/1064-113-0x000001BC78340000-0x000001BC783E4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/1064-135-0x000001BC78340000-0x000001BC783E4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/1064-118-0x000001BC77FD0000-0x000001BC77FD1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2112-105-0x0000022572D70000-0x0000022572D71000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2112-104-0x00000225734C0000-0x0000022573564000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/2112-134-0x00000225734C0000-0x0000022573564000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3144-72-0x00000000094B0000-0x0000000009554000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3144-73-0x00000000010E0000-0x00000000010E1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3144-125-0x0000000009560000-0x0000000009604000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3144-81-0x00000000010F0000-0x00000000010F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3144-112-0x00000000094B0000-0x0000000009554000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3144-78-0x0000000009560000-0x0000000009604000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3308-115-0x00000147B9CF0000-0x00000147B9CF1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3308-123-0x00000147B9C40000-0x00000147B9CE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3308-110-0x00000147B9C40000-0x00000147B9CE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3656-132-0x000001F3BB500000-0x000001F3BB5A4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3656-91-0x000001F3BB500000-0x000001F3BB5A4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3656-92-0x000001F3BB130000-0x000001F3BB131000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3908-99-0x000001BFFF790000-0x000001BFFF791000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3908-133-0x000001BFFF7D0000-0x000001BFFF874000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3908-98-0x000001BFFF7D0000-0x000001BFFF874000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4108-130-0x0000000000B70000-0x0000000000C08000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/4108-127-0x00000000005F0000-0x00000000005F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4108-126-0x0000000000B70000-0x0000000000C08000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/4116-66-0x0000000000110000-0x00000000001B4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4116-67-0x00000000001C0000-0x00000000001C1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4116-95-0x0000000000110000-0x00000000001B4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4116-124-0x0000000000110000-0x00000000001B4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4900-39-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-37-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-62-0x000001A818910000-0x000001A818918000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/4900-48-0x000001A8188F0000-0x000001A8188F8000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/4900-85-0x000001A818920000-0x000001A81895D000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/4900-90-0x00007FFA59860000-0x00007FFA5A321000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/4900-38-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-64-0x000001A818920000-0x000001A81895D000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/4900-36-0x00007FFA59860000-0x00007FFA5A321000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/4900-29-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-27-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-28-0x000001A8000F0000-0x000001A800100000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4900-26-0x00007FFA59860000-0x00007FFA5A321000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/4900-25-0x000001A87F610000-0x000001A87F632000-memory.dmp
                  Filesize

                  136KB

                  Download