gozi | 61b5b2ea5f667c7a3bc7ef2ac07283a0c106e7d02e139879481ffa64441e1e55

General

Target

2b25182df120e15147a1d1f86154ece9.exe
Size

653KB
MD5

2b25182df120e15147a1d1f86154ece9
SHA1

8dfb7bb6a85f51a09db361fb83f5edfdb4c5e515
SHA256

61b5b2ea5f667c7a3bc7ef2ac07283a0c106e7d02e139879481ffa64441e1e55
SHA512

a25709a82d7d152a5d2321904154ecced9753fa6158546ba6eddb3c4e8fb1bac565f991951abe6fc9761ed2d21765ab828c4097e7b8a7a21572718c595272cf1
SSDEEP

12288:WqeAoQME4xL3Lq7ZAfsOU+1kGz9nHxUHmCrv+rc:Wq1oldxTLoZcsOUaTzjumKv+rc

Score

10^/10

gozi 202108021 banker rm3 trojan

Malware Config

Extracted

Family

gozi

Attributes

build
300981

Extracted

Family

gozi

Botnet

202108021

C2

https://hotroad.cyou

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD33C291-ABF6-11EE-882F-5E44E0CFDD1C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exe

pid process

2628 iexplore.exe
2628 iexplore.exe

pid	process
2628	iexplore.exe
2628	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2628 wrote to memory of 2720	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2720	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2720	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2720	2628	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2b25182df120e15147a1d1f86154ece9.exe
"C:\Users\Admin\AppData\Local\Temp\2b25182df120e15147a1d1f86154ece9.exe"
1⤵
PID:2136

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
1⤵
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1848

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:2
2⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
2⤵
PID:2076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
2⤵
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
2⤵
PID:2780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
1⤵
PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
2⤵
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFBE8861A6630674D0.TMP
Filesize
16KB

MD5
07b5e831e35d646b83850a5c1effa919

SHA1
f86a9522e287ccffa377b0886bf02f5ee252e0f8

SHA256
babea7c7dc1b857970a96f6ad69f6b0d8f1317f7c03aace690f5d823ad54cd2d

SHA512
864a4aa676a98bdcfaf63ce8d899641c93b592cbb77ac1b9dedb4e696b4bc9ed9b5ac3f5bc3a9d56858cb60a2191c6c3197290152f027f04edc09a35583d1820

Download Submit
memory/2136-0-0x00000000000D0000-0x000000000021B000-memory.dmp

Filesize
1.3MB

Download
memory/2136-2-0x00000000000D0000-0x000000000021B000-memory.dmp

Filesize
1.3MB

Download
memory/2136-1-0x00000000000D0000-0x000000000021B000-memory.dmp

Filesize
1.3MB

Download
memory/2136-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2136-4-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2136-10-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/2136-11-0x00000000000D0000-0x000000000021B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads