Overview

overview

10

Static

static

1

a43be7341e...83.exe

windows7-x64

10

a43be7341e...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a43be7341e3d13810d20b9e64e329c83.exe

  • Size

    6.4MB

  • MD5

    a43be7341e3d13810d20b9e64e329c83

  • SHA1

    ad582a30ba365885be34fe503c744088d08b4baa

  • SHA256

    e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

  • SHA512

    cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877

  • SSDEEP

    98304:oSilBhaEFMX+MEGi6OEJ0ehjDhGSib2RDWBXW4Gd72eg7GpAadkBlsr1SFF0:KhaIRMEXehxitdogqtqBq9

Score
10/10
babadedagozi1001bankercrypterisfbloadertrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

update1.avast.com

zilbon.ws

update2.avira.com

lumpet.co

emerald.ws

ferroun.in
Attributes
  • base_path

    /sreamble/

  • build

    250207

  • dga_season

    10

  • exe_type

    loader

  • extension

    .sre

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
    "C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$80064,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
        "C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Users\Admin\AppData\Local\Temp\is-69HCU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-69HCU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$C021A,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
            "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
    Filesize

    3.1MB

    MD5

    8a24adf60923719e71306f56deb49ebc

    SHA1

    e098600fd5a98bc37d0d887e705a32a54bf4ae84

    SHA256

    221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085

    SHA512

    dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
    Filesize

    5.8MB

    MD5

    e70951807abdec39daefa9a8df9dec15

    SHA1

    15a7b0f9c04d5f6bba477d91b502b4e24c1127f6

    SHA256

    dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6

    SHA512

    bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\Lang\it\is-RDNK1.tmp
    Filesize

    5KB

    MD5

    9325aee138a4d9a15d651920fb403ffc

    SHA1

    19eb57cd989571fa8cd426cbd680430c0e006408

    SHA256

    9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

    SHA512

    d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\cds.xml
    Filesize

    304KB

    MD5

    2b622a85fd2b0b5531c86301818ceb2f

    SHA1

    5e1d127789e78683ce3deee1fd3e38f358bc50c2

    SHA256

    58489a55f9eb210b9e472ca21621ce544e03a2e026f0fa103c1a58102d39c025

    SHA512

    938d7ac9239568536a341c057a44142faad4921bbff5bcc76a89b0b4ed5343f324a46e6c533a9673434286673c4b5efbe4a8156d10c20a2760389ac785a34ce4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dll
    Filesize

    3.8MB

    MD5

    4240767ecbcecd84f3c90d0ee889460c

    SHA1

    d390f9e165408864dda6c925dfe6627c557a6b24

    SHA256

    1d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3

    SHA512

    89fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61

    Download Submit
  • memory/2680-10-0x0000000000400000-0x0000000000730000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/2680-6-0x0000000000920000-0x0000000000921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3004-17-0x0000000002830000-0x0000000002831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3004-199-0x0000000000400000-0x0000000000730000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/3028-13-0x0000000000400000-0x00000000004F6000-memory.dmp
    Filesize

    984KB

    Download
  • memory/3028-1-0x0000000000400000-0x00000000004F6000-memory.dmp
    Filesize

    984KB

    Download
  • memory/4268-9-0x0000000000400000-0x00000000004F6000-memory.dmp
    Filesize

    984KB

    Download
  • memory/4268-201-0x0000000000400000-0x00000000004F6000-memory.dmp
    Filesize

    984KB

    Download
  • memory/4704-197-0x00000000005A0000-0x0000000000BBE000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4704-202-0x00000000005A0000-0x0000000000BBE000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4704-203-0x0000000002E20000-0x0000000002E30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4704-206-0x00000000005A0000-0x0000000000BBE000-memory.dmp
    Filesize

    6.1MB

    Download