Overview

overview

10

Static

static

3

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    181KB

  • MD5

    e54d9f8d9757fe6eead98ab59bd59ffa

  • SHA1

    60c8766682b968d9367f9099378f2c9f0ed07278

  • SHA256

    64eee9187e295afcb6989200de6fef6ca563d48881784c38765e5cc590e55ad6

  • SHA512

    b362675e7c21b0336ed5844ed453334bd93257ea6901fed5b532d06db54ad775c33c17c753414f34c8c9117ce38cc072a4b59deeb7add1ea76b63183948f511e

  • SSDEEP

    3072:+gZW8+P3NtOTH8CG95Ja4tXybaVLbPkxAgaX6wwzCqIg9:+SWfPLOL85hlVfjRSIg9

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:5020
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4840
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3988
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>L7xs='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(L7xs).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name tmnirt -value gp; new-alias -name kyyemclnvj -value iex; kyyemclnvj ([System.Text.Encoding]::ASCII.GetString((tmnirt "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0try2yw\i0try2yw.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C6C.tmp" "c:\Users\Admin\AppData\Local\Temp\i0try2yw\CSCD716EEE75894499E8695FB1C1C717AE.TMP"
                5⤵
                  PID:4744
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbmktrc4\cbmktrc4.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1508
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B41.tmp" "c:\Users\Admin\AppData\Local\Temp\cbmktrc4\CSCE8D37534EFF2455698FCDB1CE367A570.TMP"
                  5⤵
                    PID:2972
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1232
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2492
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4364
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1328

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES1C6C.tmp
              Filesize

              1KB

              MD5

              0d293a2fc81f05b02cb8d434d178d8df

              SHA1

              29e40b15a28b5c962b760c12e063e41b5a9cf99c

              SHA256

              eda2962ee4c7cfcc24495b9a6260980a7bc8c90864793dd6fae3538bcb64f6e5

              SHA512

              dd9ed9eb8d055eca6011e525c52cbc26a01314164a1c9856a0ed56456a7a061b56a76497066a2fd4305a334e9fb7adeacd90238ba9c4aa9b1c515b99767f1302

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES2B41.tmp
              Filesize

              1KB

              MD5

              2774abd984eb408d84540b4e94094938

              SHA1

              ae3fec3ddbfd1c999af47e7a0c25e3432a804ac2

              SHA256

              280f7a9965b12376ffde27997e0756f59c8ba264d10a44ca9e35cb9c83e9a2d2

              SHA512

              ecafde6397326d2c22348ec7915dc2cc7f053f2e0476ad85a5698270acf611ebad1187b9493231adcce0fe0a48f70e0dabcf022d22215b8868a867749d90beb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_leosnnlb.aem.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cbmktrc4\cbmktrc4.dll
              Filesize

              3KB

              MD5

              99e2d90c933f17c6367ea15fe9c5f7d8

              SHA1

              58579cbac9e5f0eb7ccc88473993b886e2ed9b6e

              SHA256

              b5fa193a441f2a91ec29508640f7034299ff3cb226c9e5f8262c5f6cd20dc46e

              SHA512

              2bcee4b827b14cc3140cdf8f349bb634ee60226daf6e60196c2902ad085aaaa76c45a2c276044be321a840fb03962052e2bc065ff46ae5ef326e22bfd741286e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\i0try2yw\i0try2yw.dll
              Filesize

              3KB

              MD5

              d05f3e78a6ee314c983d4c593514cb9c

              SHA1

              59c5b670cbd8f4746c5724704fa39a4c5c215cc2

              SHA256

              8bda3eb959e7d37ddb1f8a2c64849dfce053b6fe6dc898a98f85e974cc59605f

              SHA512

              aa5145d45c953f909441abfeac6d69b5779c59a28dcf04e8833c262b9d10242218bfe5da049039cb6d64b8a1c3eed076a962dd4f3b56bf814f94f77cf19c2fe6

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cbmktrc4\CSCE8D37534EFF2455698FCDB1CE367A570.TMP
              Filesize

              652B

              MD5

              7020a3fecb06f61287530e621e0d94e2

              SHA1

              cdf05a22b7e2b601f52a2432ae6a4d476e9f38b3

              SHA256

              191abf760ebdb798df00d8d9a3d0c74bfa230b234b4fc9f853a3f78969ebb90d

              SHA512

              4a41c280aa32d9b11dbbd7d87c5ae4ddcf62bea395cd00c05fbcb02fff23b274182b364c4504cfe3aafc164fa2038de20bed9bee2b0063df74cc6ab55df97188

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cbmktrc4\cbmktrc4.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\cbmktrc4\cbmktrc4.cmdline
              Filesize

              369B

              MD5

              c7de24998a5071515b47d595e83b7b93

              SHA1

              7f8c1cda934063d7d05743e995988dca674c48c9

              SHA256

              54b3a1291abb515bc66d2799c4461cb008f179b00e1f3bc6632632cdf0eec548

              SHA512

              010e20939fb52659fd83d0c4fde55865096dd3bc028c9473c1417171e35971ad9affc580db11284f706180b315b2207b55e20466f88b06176b984ee6f8940012

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\i0try2yw\CSCD716EEE75894499E8695FB1C1C717AE.TMP
              Filesize

              652B

              MD5

              f4a6db0a17df4fc03e3b07d10a063b9c

              SHA1

              8d50c55fac891cbdaa6372d9a644f35e2f0cd5fe

              SHA256

              35d84059c4cb128a6044d45ec243e92b0ca004e46737752e0527c6919df4ea8c

              SHA512

              92f5bf85eb7a777c3d6179db0a0d41e3805cead08850d3e0e08d498194162becaeac5cdd7fdfc7f6dd8c4c6d810c452ffb273ee9a1bf1fe1357752992020a874

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\i0try2yw\i0try2yw.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\i0try2yw\i0try2yw.cmdline
              Filesize

              369B

              MD5

              a8a687b75d27e2c0eb169018652410ea

              SHA1

              eebda54d8fabc054abe3f730b51adf375e7c8d5d

              SHA256

              110123f4e642768f40d619217b9250bf26972b2de787687f6c21e7b93b655a97

              SHA512

              d9bed7839423673991bb10f19fd590a76c790600b1b685eff5907ea1ea00fbc35bcc423b3e5af66d36693d88999f185ff91ea7f2f22faaa6d11a4b799daeb1b4

              Download Submit

            • memory/1232-81-0x0000012715330000-0x00000127153D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1232-83-0x00000127153E0000-0x00000127153E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1232-119-0x0000012715330000-0x00000127153D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1328-105-0x00000207C1540000-0x00000207C15E4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1328-106-0x00000207C1500000-0x00000207C1501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1328-129-0x00000207C1540000-0x00000207C15E4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1660-61-0x000001C270D00000-0x000001C270D08000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1660-73-0x00007FFC1DB40000-0x00007FFC1E601000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1660-44-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-43-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-42-0x00007FFC1DB40000-0x00007FFC1E601000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1660-52-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-29-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-28-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-27-0x000001C270D50000-0x000001C270D60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-46-0x000001C270CE0000-0x000001C270CE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1660-64-0x000001C2711A0000-0x000001C2711DD000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1660-21-0x000001C270D10000-0x000001C270D32000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1660-26-0x00007FFC1DB40000-0x00007FFC1E601000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1660-74-0x000001C2711A0000-0x000001C2711DD000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2492-112-0x00000278646A0000-0x0000027864744000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2492-115-0x0000027864500000-0x0000027864501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2492-128-0x00000278646A0000-0x0000027864744000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3136-66-0x0000000000710000-0x0000000000711000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3136-67-0x00000000081C0000-0x0000000008264000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3136-113-0x00000000081C0000-0x0000000008264000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3716-86-0x0000023C0EE90000-0x0000023C0EE91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3716-82-0x0000023C0FB10000-0x0000023C0FBB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3716-120-0x0000023C0FB10000-0x0000023C0FBB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3988-91-0x000001DF90AD0000-0x000001DF90AD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3988-89-0x000001DF90B10000-0x000001DF90BB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3988-124-0x000001DF90B10000-0x000001DF90BB4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4364-126-0x0000000000BB0000-0x0000000000C48000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4364-121-0x0000000000BB0000-0x0000000000C48000-memory.dmp

              Filesize

              608KB

              Download

            • memory/4364-122-0x0000000000360000-0x0000000000361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4840-100-0x0000024F251A0000-0x0000024F251A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4840-98-0x0000024F25A00000-0x0000024F25AA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4840-127-0x0000024F25A00000-0x0000024F25AA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/5020-14-0x0000000000890000-0x00000000008A3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/5020-5-0x00000000009D0000-0x00000000009DF000-memory.dmp

              Filesize

              60KB

              Download

            • memory/5020-11-0x0000000000A50000-0x0000000000A5D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/5020-0-0x00000000008B0000-0x00000000008BC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/5020-1-0x00000000008C0000-0x00000000008CF000-memory.dmp

              Filesize

              60KB

              Download