Analysis

  • max time kernel
    146s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 14:38

General

  • Target

    0196aa6b6e09389e94acafba9049fe5f.dll

  • Size

    355KB

  • MD5

    0196aa6b6e09389e94acafba9049fe5f

  • SHA1

    6248bd71cc01f4dd0728bf8536c29aff31adb4ce

  • SHA256

    84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e

  • SHA512

    004683c3bcc190134f6715bef7fc1d788e3b7d02c68f6f51980433078be7c126f382fb2832d2668c23f234f9b6ab0d0e1e2e1d0dca33d9f40803f412f566c81a

  • SSDEEP

    6144:BstpyZ+ANKcOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbA3OOmljdLGeZOGH7Cu

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1500

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
      2⤵
        PID:1520
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3016
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:540
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2312
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1596

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0fe680884ef2cc3dd33c674e84d08de4

      SHA1

      3ead7865e9553db2292d647322846612a6957679

      SHA256

      f156ab9b0439419bc258d83610d16bfc506b26d2f1b3a587b39ecb7b70c889e8

      SHA512

      bfa649dbca8174374b168f38427022cb0a81c958bb8d9147bf83bae884983014a3014cd8abbbe1b76cf424ab4cc903fae50da16ffa539e01f6feb2f6f3c017c8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      534a71dda8d8068380cefa3f22ccd678

      SHA1

      f7fb75751752a2ba8d8b73192c54e4441fcb08c7

      SHA256

      8d1f3b042dba53d730acc09d44d8a590b42c37c9c689b8f89cb927d20ec93da9

      SHA512

      ce1d112f30bf62b4f894ead008afd547862936ee2758c6730fcb96535f50e978fef308124a5c0380d6c658ff9145eab9f100cdb18ed1beb71ab2a4d1e373fa3d

    • C:\Users\Admin\AppData\Local\Temp\CabBFE8.tmp
      Filesize

      44KB

      MD5

      e713b29b5002fb0a530d8e928084fc99

      SHA1

      ab597c5918b7156c4a1e0ca5d88fe34902253353

      SHA256

      eadf2de13faa9969c1bf0d6e358355d994a536cc2c3d4439ca010d20d413fda2

      SHA512

      824f02aca11833e61fb55975547114d7316bcb45742eebead2a131781965593d3600316fbbe60ef3e708374c031497a56a30ff63585abb0d6ea5883394d1a5c6

    • C:\Users\Admin\AppData\Local\Temp\TarBFFB.tmp
      Filesize

      60KB

      MD5

      87735fd22057dc4d908015170f1e45f1

      SHA1

      66d82f4d945a1dc88e074a5ecca104ee7a6ab4a7

      SHA256

      fc426324ac66a979dcee6c5e60823726a450aa671d2b5f6c18e593db11ea4174

      SHA512

      09077533c5a30a8198ed99ec1b6aaf63b99da56f17be9da4d846f46d6c9af726ee7b25148853c06efacb6ab70ff69d95db725c788559ab32fa2f11ab415e72ea

    • C:\Users\Admin\AppData\Local\Temp\~DF6A032A731A504800.TMP
      Filesize

      16KB

      MD5

      0e8003288e0b8f3f0f345c79d71def4a

      SHA1

      83be1830dbe2510983cf24e9f141505448f9ba6e

      SHA256

      4c147ff160c4778b396dbc5164e5e090b230e0532fa69ac23c2a59941cd8f8c6

      SHA512

      c3e62b4130b9b4aff8a7cd0f6f7f455554e42d65d0aa40d19e62fe0605881d5a262d6cff9438bed20b6381812d6de6ec1c7bdd6d53f23cd1e49fc65b0208b7a4

    • memory/1520-0-0x0000000074600000-0x00000000746F4000-memory.dmp
      Filesize

      976KB

    • memory/1520-1-0x0000000074600000-0x00000000746F4000-memory.dmp
      Filesize

      976KB

    • memory/1520-2-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

    • memory/1520-3-0x0000000000160000-0x000000000016D000-memory.dmp
      Filesize

      52KB

    • memory/1520-6-0x0000000074600000-0x00000000746F4000-memory.dmp
      Filesize

      976KB

    • memory/1520-9-0x0000000000220000-0x0000000000222000-memory.dmp
      Filesize

      8KB