gozi | bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7

Analysis

max time kernel
0s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7exe.exe
Size

2.5MB
MD5

66d13537ed49e50fb83673f7632c0e5e
SHA1

dc3ac1f47fe9d06e847fcb0ddf26190add45b839
SHA256

bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
SHA512

c7047b62d3d8313bd9eec725c310a635f452e57d21b5ae625ef7993620ffc7fbb503ac3dc5b9309fdf47704437a4126d35155f63697761888c36d399baca1064
SSDEEP

49152:9gFBlMFeWIvkLRoj9xuL5daZ1MzvgQza2Mv14mkE2NHGBF2E8r1TAHzNxy8zX5FT:y3lMTrLujc5wjMzlzbAhr2hGAE8RsHHr

Score

10^/10

gozi smokeloader vidar 706 backdoor banker isfb stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.4

Botnet

706

https://romkaxarit.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1056-132-0x0000000004020000-0x00000000040F3000-memory.dmp	family_vidar
behavioral1/memory/1056-136-0x0000000000400000-0x00000000021C7000-memory.dmp	family_vidar
behavioral1/memory/1056-285-0x0000000004020000-0x00000000040F3000-memory.dmp	family_vidar

Executes dropped EXE 1 IoCs

pid	Process
2884	setup_installer.exe

Loads dropped DLL 4 IoCs

pid	Process
1672	WerFault.exe
2884	setup_installer.exe
2884	setup_installer.exe
2884	setup_installer.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
632	2676	WerFault.exe
2960	1056	WerFault.exe	25
1672	2364	WerFault.exe	23

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44
PID 1672 wrote to memory of 2884	1672	WerFault.exe	44

C:\Users\Admin\AppData\Local\Temp\bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7exe.exe
"C:\Users\Admin\AppData\Local\Temp\bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7exe.exe"
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2884

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12e21d8598.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12e21d8598.exe" -u
1⤵
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 588
  2⤵
  - Loads dropped DLL
  - Program crash
  - Suspicious use of WriteProcessMemory
  PID:1672

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri1229966ae2.exe
Fri1229966ae2.exe
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri1217d16cb7f3924a2.exe
Fri1217d16cb7f3924a2.exe
1⤵
PID:1056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 968
  2⤵
  - Program crash
  PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 416
1⤵
- Program crash
PID:632

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12c29e55e121906.exe
Fri12c29e55e121906.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12716cec7fe.exe
Fri12716cec7fe.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri1269b50f53f6d35.exe
Fri1269b50f53f6d35.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12a1855208d3.exe
Fri12a1855208d3.exe
1⤵
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\Fri12e21d8598.exe
Fri12e21d8598.exe
1⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1229966ae2.exe
1⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri12716cec7fe.exe
1⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri12e21d8598.exe
1⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1269b50f53f6d35.exe
1⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri12c29e55e121906.exe
1⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1217d16cb7f3924a2.exe
1⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri12a1855208d3.exe
1⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44BD0226\setup_install.exe"
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\7955.exe
C:\Users\Admin\AppData\Local\Temp\7955.exe
1⤵
PID:2808
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\3om7yoas33w_1.exe
    /suac
    3⤵
    PID:2928

C:\Users\Admin\AppData\Local\Temp\847C.exe
C:\Users\Admin\AppData\Local\Temp\847C.exe
1⤵
PID:984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1.4MB

MD5
3687df3d6547990a375ee04313a48650

SHA1
8b40134f4df42a7be96020f94edd9be4cb9fc7c3

SHA256
0f994aac5303619ced726f3917b506d4cb045c2a526f7d3d7b81b1c062e1e3c6

SHA512
bc11d36e4df28d789a34048d7caf6b59f31cd9ec3a35435523df6f5c9278967d083cc1c300db63624a2ebfb6b10164c7f2ac602841b73448ec69bdff1186e5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
894KB

MD5
710533a75aea5da3054bff80bdeb099e

SHA1
0a1974ed0e2a306108813d2faa554472c261713d

SHA256
ef1694bf0979ba7cb27a662412461be858515c3d578dc11407cb8e04d2534642

SHA512
eff868d5c9f3f9b2424e63b7f14bdd9b1335c54e5813df288c9da76610fa774d888ef6a2a05d47b37c4e1859318dd31e0a1212dc31bfaddff2c4cf1fb3161b6a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.4MB

MD5
a8224c924e89e0433123d5b837167ad2

SHA1
68a3e27c33df0edab5f1c4c8f48b06e162033b11

SHA256
ff8ea01cceb39bcdd35ef51670129f01f3ec5f5b3c1d52e4ca9ce201b6e8d372

SHA512
f3e2052544dc4381f70c96db8a94eac0aef52f089bb304825180d7b7fb0e89264518f85b6982bc1a3e48fc20288e5c51bf351142d986217e62523f9f564319fa

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
381KB

MD5
a275eb35a2f3dde8848eef51c9831413

SHA1
02fca212bab8836de31fbad45f6f2b4520cd2c3e

SHA256
0b3ebb93d16d3d44508a56495c429003df7cd8a663a845ef623401ed42b4a883

SHA512
b89f0baa68df6fe55570f0b1ba4c5811cf52784452d9d5f2878a97e25cd4968ccf234cf193d1770ed22ef916f5bb62f34d18cafaef2cf8b1c4b53843d3c99441

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
92KB

MD5
305c00c540e5c010533765562d65c13e

SHA1
aacc016e7852e78e73a26cc19e6aca30b4a1161a

SHA256
bf1a789cc4befb3927cf39258e6111b2bbb8720b8e8d811daefdcd6a45500b4a

SHA512
b1b86d6d8d62f8f7a9c12902da86ba54a651094360101810f6fb68937531caed8ac09973462cc9f20f0381da1b634049fb6ca0f6c5b74b57fae2c74bece7867a

Download Submit
memory/860-375-0x00000000779F1000-0x00000000779F2000-memory.dmp

Filesize
4KB

Download
memory/860-376-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/984-338-0x000000013F520000-0x000000013FBE5000-memory.dmp

Filesize
6.8MB

Download
memory/1056-284-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/1056-189-0x0000000000400000-0x00000000021C7000-memory.dmp

Filesize
29.8MB

Download
memory/1056-285-0x0000000004020000-0x00000000040F3000-memory.dmp

Filesize
844KB

Download
memory/1056-359-0x00000000054F0000-0x00000000055B4000-memory.dmp

Filesize
784KB

Download
memory/1056-131-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/1056-136-0x0000000000400000-0x00000000021C7000-memory.dmp

Filesize
29.8MB

Download
memory/1056-132-0x0000000004020000-0x00000000040F3000-memory.dmp

Filesize
844KB

Download
memory/1256-334-0x000000013F520000-0x000000013FBE5000-memory.dmp

Filesize
6.8MB

Download
memory/1256-151-0x0000000002980000-0x0000000002995000-memory.dmp

Filesize
84KB

Download
memory/1256-378-0x00000000029A0000-0x00000000029A6000-memory.dmp

Filesize
24KB

Download
memory/1256-353-0x00000000779F1000-0x00000000779F2000-memory.dmp

Filesize
4KB

Download
memory/1256-335-0x000000013F520000-0x000000013FBE5000-memory.dmp

Filesize
6.8MB

Download
memory/1384-357-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-308-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-306-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-344-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-345-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-303-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-304-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1384-305-0x00000000000F0000-0x00000000001B4000-memory.dmp

Filesize
784KB

Download
memory/1384-374-0x00000000000F0000-0x00000000001B4000-memory.dmp

Filesize
784KB

Download
memory/1384-302-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-310-0x00000000000F0000-0x00000000001B4000-memory.dmp

Filesize
784KB

Download
memory/1384-307-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-319-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-301-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-329-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-315-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-316-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1384-317-0x00000000000F0000-0x00000000001B4000-memory.dmp

Filesize
784KB

Download
memory/1384-340-0x0000000077B80000-0x0000000077D01000-memory.dmp

Filesize
1.5MB

Download
memory/1384-372-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1384-318-0x00000000000F0000-0x00000000001B4000-memory.dmp

Filesize
784KB

Download
memory/1644-126-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Filesize
512KB

Download
memory/1644-127-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-261-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Filesize
512KB

Download
memory/1644-279-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-117-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1644-364-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-122-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1644-363-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1836-355-0x00000000779F1000-0x00000000779F2000-memory.dmp

Filesize
4KB

Download
memory/1976-110-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1976-358-0x0000000000B80000-0x0000000000C44000-memory.dmp

Filesize
784KB

Download
memory/2156-283-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2156-128-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2156-123-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-360-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/2156-240-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-112-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2184-134-0x0000000002200000-0x0000000002300000-memory.dmp

Filesize
1024KB

Download
memory/2184-135-0x0000000000400000-0x0000000002154000-memory.dmp

Filesize
29.3MB

Download
memory/2184-133-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2184-152-0x0000000000400000-0x0000000002154000-memory.dmp

Filesize
29.3MB

Download
memory/2204-356-0x0000000002130000-0x00000000021F4000-memory.dmp

Filesize
784KB

Download
memory/2364-373-0x0000000003090000-0x0000000003154000-memory.dmp

Filesize
784KB

Download
memory/2484-350-0x00000000003D0000-0x0000000000494000-memory.dmp

Filesize
784KB

Download
memory/2492-351-0x0000000000610000-0x00000000006D4000-memory.dmp

Filesize
784KB

Download
memory/2560-352-0x0000000002010000-0x00000000020D4000-memory.dmp

Filesize
784KB

Download
memory/2676-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2676-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2676-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2676-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2676-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2676-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2676-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2676-187-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2676-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2676-348-0x0000000001F50000-0x0000000002014000-memory.dmp

Filesize
784KB

Download
memory/2676-186-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2676-183-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2676-184-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2676-182-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2676-169-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-313-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2808-314-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2808-299-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/2808-293-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2808-297-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/2808-298-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2808-300-0x0000000077B90000-0x0000000077B91000-memory.dmp

Filesize
4KB

Download
memory/2808-311-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/2808-295-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2808-292-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/2808-296-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2840-369-0x00000000779F1000-0x00000000779F2000-memory.dmp

Filesize
4KB

Download
memory/2884-346-0x0000000003740000-0x0000000003804000-memory.dmp

Filesize
784KB

Download
memory/2920-354-0x0000000002850000-0x0000000002914000-memory.dmp

Filesize
784KB

Download
memory/2924-137-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-125-0x0000000003080000-0x00000000030C0000-memory.dmp

Filesize
256KB

Download
memory/2924-124-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-377-0x0000000077BAD000-0x0000000077BAE000-memory.dmp

Filesize
4KB

Download
memory/2960-379-0x0000000003950000-0x0000000003A14000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads