Overview

overview

10

Static

static

3

3d7fdc6d08...d1.exe

windows7-x64

10

3d7fdc6d08...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d7fdc6d0893aa64bd0f8daece522cd1.exe

  • Size

    203KB

  • MD5

    3d7fdc6d0893aa64bd0f8daece522cd1

  • SHA1

    1add16a3af0deceb70620ff7cc4a74ef36ed336f

  • SHA256

    053dc4a1b017763cc18dae20e2ab00a2023df8cb28a23665dbf6032981f057a6

  • SHA512

    930901e711730b644398905ddfb0a536e2ac3dd6870d5dc05e5fead58f08a30f46a1be43adb0307ddfde341b4f40fb251f09b2e340d31d3090cb7679af5bb61b

  • SSDEEP

    3072:mxNji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:cRdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d7fdc6d0893aa64bd0f8daece522cd1.exe
    "C:\Users\Admin\AppData\Local\Temp\3d7fdc6d0893aa64bd0f8daece522cd1.exe"
    1⤵
      PID:2928
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2600
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1056
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1580

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      f755a40f164f79a6cf5a9e38ebcf5f56

      SHA1

      2378fd8fe9a9faa4f465a6a746433923f76edd80

      SHA256

      8e7025e50fc3f89d1dda4a9e81a2a38e07b208c991f6d229446eae90944ae0bc

      SHA512

      32a47444241f140cfe20c58a9c044029cb2dd7c2d35fe92e0730232a800e48b2917c98003cfcfd8ed1a76d5f74564988d40bea4d9df00ec40e69bfe03a971cc5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_BF65129E34A9A67CDB29CEA5E724F901
      Filesize

      471B

      MD5

      b88cde4a9f94f2b055a149b9899abc60

      SHA1

      1df8511af9f329e5dbaef55c74e562dfb61f418b

      SHA256

      a23399f60474b39111a7720a182cd5df306b69c5ea9665d2d1adc9ef34fcc793

      SHA512

      ad549cd3d30653993d248363ca1dcd53003f0fd0f84b45a0fc4e51c681faf794a069ebba3fcbdf7ba9a7d1e1329c81801a8f26ba02205e9ca5f52de8d705e0e3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      724B

      MD5

      ac89a852c2aaa3d389b2d2dd312ad367

      SHA1

      8f421dd6493c61dbda6b839e2debb7b50a20c930

      SHA256

      0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

      SHA512

      c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_92A59A0F4F7E0452583B0BE3284C67BD
      Filesize

      472B

      MD5

      5a04d452cde448b8a8bb2b3bd05cc7cc

      SHA1

      f552240aff99b29a907e691b55657107b52cfdcf

      SHA256

      9a6941d0bd3eaee27865668b4f42f85374d479ad8741e001e26dc06790a36510

      SHA512

      1e02ab29c312ab2920858a92c739377746afad0b4b29aa02264edfa95f0fd7276f62562295e20e40e0031bda4727c65bd94f9028bd968ca4c185089bb5d90eb8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      2682427aa8ae6bb3a83719029d541e71

      SHA1

      4ef3ffb920a9c480674bcbda295ca23699ad2fbb

      SHA256

      1f4c041e93b93548dc7881ae10b43857989212494ed7b31c951cfe74acfcaea4

      SHA512

      46960d6c5935a8daca19b5f6f79f8c2e55548f504f51cc9b5c1360a52503d79f2789cff37d87f0211e9d2489b5ac352cc2ab8301e8258d2480a5fa29cb3fc772

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      4a11c8ee97d58c0788cd8e1f1f424bbb

      SHA1

      90d99b315d0bc4b95e6dc43c384466e175066b96

      SHA256

      833bf49653e387cac3598c7a9ed9cc41597ee2c37e4743bd803c8e56fd8bc169

      SHA512

      d90cd825c874eb8e6e5bc5b10a50ff0c232798385062f6fb757011804ff72afa2ce708fb6c597487d89dd58524fa95a4eb7ad36d09a51b0aca0c21f5b33b3b06

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f2dc1d4a3fe5e14426ce3a55cf9dfbe9

      SHA1

      158c20f619c7c3f8a8ff5aa2fc6192a7db6b8bbb

      SHA256

      1afb01235ddbef19be3fd894bcdd287b00aff0f11d205b191746bcca554035a7

      SHA512

      ab1a25cb1e565a77af294d05b5f7a9bf778aa4cd7c0d5bb29ede8592c0b23f40cff9f2e6a77c363810b5f2a9c3c9725fcbdbe821312857327712fe3d1911d274

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e551d298945afc3d8614ee6b8fcb7506

      SHA1

      60db8ecda321db3d871243bd0665eef3e73abf30

      SHA256

      6515825221b0c8570c548b0ede21710924f768e9afc8ee4c9a834dc89891acd2

      SHA512

      ba358aef7eec4bf83ffe4a86090ee2879cfc321548d83a833e9497ee8c6f9ad38e16db1339029148de1541a92123b1e991b4e3e965bb6de7975d0ef017f9791f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      37796c5d478e197ebeabefc2f98616bd

      SHA1

      240de741472a1b197da78d25328fc40c81e809d5

      SHA256

      30f6a8178c46bc7482474d91bc98649b05b3f7403baa3e859d5a84e94db7154c

      SHA512

      aa19356b31e68236b9fbbc851275e0020e7433eb9ac671abdab1fd006463a3a56a75fc300e2a6000b603275aee274ef63c87d366edcb38606a94d0f1d4b820d2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_BF65129E34A9A67CDB29CEA5E724F901
      Filesize

      414B

      MD5

      d154f12be7c0e5ce2c629512cc8a6683

      SHA1

      53160729a6e025b025ddea985e51bb8d786fb715

      SHA256

      b4337843b38d77182ffd2885c9c2f87385a77547eca7fc10ac3252cf4b0c9973

      SHA512

      09928c58d2ca9dda394fd98712209e0211cca56cc6be17e96d392a846230e99aa4d88ba6a1769a78a7fad51d5495931c494aeaba229356672c3d9cb8b3f39fa7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      392B

      MD5

      62196802d4df7c42d49358da49e2cbca

      SHA1

      2486b916be0a1d9bfb8464debf53f929e09ece55

      SHA256

      b8858f518ba449de97b371898f440e07b21a2a55d1bc383aed28696dc27062f6

      SHA512

      97608462ea9fd42b9e6a1a682f5a21cf5bb961c6313a8863ba37b793c60fe7ceaa11b1f05cee9bb722a6be40e510c78f4467e3efb28098b25f99a7cf4aa5d664

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_92A59A0F4F7E0452583B0BE3284C67BD
      Filesize

      402B

      MD5

      ec0f445d205d8157cb2af3976a05ff02

      SHA1

      ac117b4da53cb8b58933e2ca6e97cd5b26aa6bed

      SHA256

      0629cafe7e2baa3b236ac2dfd8c9663785cb57b1b5fb2bcea34246464915bbe6

      SHA512

      4f180c307956d31f0d63d73399ea25129ce630c62894a8fa7fd619b8a5527a3c0d2759ab9cc8039568ff80dc071bf69c12030bf17f947d37c1e866ff5a27bc05

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\WEVEA323.htm
      Filesize

      356B

      MD5

      7a7107ef5b0185f624703f0ce3161389

      SHA1

      4e95838c06fbe825cd69feac3f28e91d6ea12d4f

      SHA256

      3750f0f41871b5f6a0669e0fae857a2828ae2a187d8865d6e72f9929c4c00dfb

      SHA512

      d187740861254f65a115040fc5d0a3ffe9553917fc55ebd5989c6605726d749760144a4c208a89a4b655f2c48a7daa6cfddca2f17c9a15f2dcf78bba40d8ea16

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\sale_form[1].js
      Filesize

      761B

      MD5

      64f809e06446647e192fce8d1ec34e09

      SHA1

      5b7ced07da42e205067afa88615317a277a4a82c

      SHA256

      f52cbd664986ad7ed6e71c448e2d31d1a16463e4d9b7bca0c6be278649ccc4f3

      SHA512

      5f61bbe241f6b8636a487e6601f08a48bffd62549291db83c1f05f90d26751841db43357d7fe500ffba1bc19a8ab63c6d4767ba901c7eded5d65a1b443b1dd78

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WEH2YLI\caf[1].js
      Filesize

      145KB

      MD5

      70d980087fd31455b884b4f738e5d5dd

      SHA1

      9c2a73a5e73ecc85647c5419b4b6ba54e0b7cb0d

      SHA256

      25b0aa1e92d28a94a322d74db88ff378d3626a32479d8fab625f4d1210e2800b

      SHA512

      e06552866174bc098734b2ac75c222e456f706a755b2c6a2664865d5bf133a7225bb474bd117725dc23daa5a1f30d9dcb9066d73c39373a95460bdea161b2183

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E25VF8N4\caf[1].js
      Filesize

      145KB

      MD5

      02e1d7d22ce77a26db2d31e0ea226c4d

      SHA1

      589e90664548afbd0a6bd50624e06511989ffc27

      SHA256

      b8c187466021871117db097cde92e79d559f9c28804015bef784dac6c6d4e8df

      SHA512

      94ebdcf9e9d2f13676ef2b997e5a6b6b27b9bbdeb71c207b8269ac629a7d08b3503774f05123e30d0b9aa823660a6c02cffe7dd11fc39b3d0e7e253e3c8950fe

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\24NAROM1.htm
      Filesize

      16KB

      MD5

      322d89e3737c6ea02b85fed17e61d744

      SHA1

      9fbe449eae47c77a7734d055ecff7941838e7745

      SHA256

      6aa7ded1346a728bfef297d453edc6d2c156658c750f5d8f10cb23cd28b2108f

      SHA512

      979f875f8f47802eebe517739af1101b73209944ad0580888ed2b0311d67a85bfbd621dd2f1b68bc1ab75e1e2a5a5eb25290cfedc5785b84bed72da4ddb5ec7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\arrows[1].png
      Filesize

      11KB

      MD5

      0cb2e5165dc9324eb462199f04e1ffa9

      SHA1

      9e0f89847ec8a98d98a6020bc5c4ed32b7a48bf8

      SHA256

      67dff0aad873050f12609885f2264417ccdd0d438311000a704c89f0865f7865

      SHA512

      7a285c4a87b9f9093b7ba720d8fe08e0ad7e2ebde9ef8c8d11b70afa08245af8f8a7281c7b3fbe8bad21c3afde4f32634d3bd416822892aa47ba82c12f4b8191

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab42FA.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar5AB0.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFA34CB9B516D3AB6C.TMP
      Filesize

      16KB

      MD5

      a9ad9d3e1e1194b228f28a0d91980908

      SHA1

      33c9adf4f7fefc2679169378d750d729954b4c66

      SHA256

      866e3898e4feb4b72a7cbc048efcc4b6bae963d3280c65df367d17228bd9de35

      SHA512

      3e1ace6601fb9cdf97569ef0aedd3d9805aae4babbfc5f25f8802ef5432976007b7027d9fbb90a84fe2223e7f0ad7817b684a8fa99a7521fb3ebe18640b85c9e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E5VVLGC6.txt
      Filesize

      101B

      MD5

      295499cbaa00eb9f30008737e96a7bee

      SHA1

      eaff52388a1c8f60ad7d31153a900f2c9632c419

      SHA256

      6173602c6edfdd5507b776a12d98ee1c370a4d1d59692746195178bc110b3a0e

      SHA512

      74e79d86f44af4c59c23f8268101c699688dd3ab2b77b903fb98b1ec344ac6d5668e83281fdbf771334216c85bf570abef32fd2119b85cc889945ecc62c0c845

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W008ON90.txt
      Filesize

      154B

      MD5

      bfe41705f6d3ccf42f6fce6e24292c5f

      SHA1

      bda9d3f66e5bd33e8eab8fd407883d4f8801ee2d

      SHA256

      e9fc8c079577edd2ec414d3a2a2d86b0c2b529cdda71f3d84df63f8a73a041a9

      SHA512

      174e3928dcde13a0b74ca9e3f07440c3ca7ee4efce717e179070a74e3d8abb29a6ec71b403af8f76aa6589e52e030f6a224b8bcd9b96e292d302ed847581e0cc

      Download Submit
    • memory/2928-0-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2928-2-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2928-1-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2928-4-0x00000000002F0000-0x000000000030B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2928-8-0x0000000000360000-0x0000000000362000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2928-3-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download