Overview

overview

10

Static

static

3

d749601aa6...62.exe

windows7-x64

10

d749601aa6...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2024 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d749601aa69d773d4c3066b749fec862.exe

  • Size

    203KB

  • MD5

    d749601aa69d773d4c3066b749fec862

  • SHA1

    40564428edb9c3238f816bf888c48b67fc28a463

  • SHA256

    99c6472de2025a0821885c050879e40eebed95fafcfbf977e532334fdd9b7158

  • SHA512

    2c27a44f41e06e9ecceef1d9e61dbae4b91a727790908b3ca568895b009152c57f32b3a17c88a49ba26b9a586a5a6088f43d8e4acadce6cd6679071e9ca63bdc

  • SSDEEP

    3072:Zcji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:Zmdp4uPZzGonqXGXh0bluBc4GZ5

Score
10/10
gozi3162bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com
Attributes
  • build

    215165

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d749601aa69d773d4c3066b749fec862.exe
    "C:\Users\Admin\AppData\Local\Temp\d749601aa69d773d4c3066b749fec862.exe"
    1⤵
      PID:2308
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2292
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2000
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2472
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1684
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:572

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b4437b692f86c08cb4a8eb25f9398611

      SHA1

      af4222e0b917758c7c5adf9fa18328624eab7c11

      SHA256

      4ecb8a495c4f56dd9f283f51934ee2f13bcf405c7af4c5c45dfadf393bed4d16

      SHA512

      e1ee98b86890cf38fb7ae8c96dcbd6db23ea0ca20a0eac33be68a59aac6a97ca85c245e9aae6697bbdfc767202fff890d8245775bce94e7e3c5691309a4deea0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8ac1b645ddb596a505a9d994ea3d11e5

      SHA1

      2bf3b466a93ec4d380642d46041f8ca7f965ed42

      SHA256

      5b0addd7fd57f7630e3beb3009fa6041f647788c4ca7d21feca5ad0c9c82a0fc

      SHA512

      182125087bae59892db92d02c732c62b5f4aacc0c0d032ef047e6cef06c9d66fca257784c24fb05d5274a289d65ab24fb80690dbde7b4cd14ea897e51172cb75

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a5fcd0e91d75f79c016e259052081e71

      SHA1

      ec7c93a1f2d27cd14ef43a4e25b6122db6b5751d

      SHA256

      8a236cc04ca5d095ca654a7d63f506a15f356d728f2ae660f8b4079e5b28d518

      SHA512

      1951d93c1bf670bf85959f954bd1b52ac0ad05c40fb10eecc441b5f631e7f633ade432e0178ff4af76a29055c023281aeb28940c27448fd5194dc7e16b80a137

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      10ef654ab827d08e104fb08976615554

      SHA1

      261475a4aeed1aad85ed8535191974f29db96220

      SHA256

      3220dc81d41a7f77b033da40069cb55cdc6216ce85289f77de2ffd24dd8faa8b

      SHA512

      cb9b06ecb249afdcc24b9dd7e21c2f8e0c3bf1561822aac35a39639e4dc7fd296148d7143a985dfe11cc8b3512791369057ba253720a222f86f6d8506f55ffb0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      40351c7a7fa8b2c440f8e040ac7ddadc

      SHA1

      3e192ccb2f5fa5ab9e41ca07039508f0a8f40b61

      SHA256

      12a8047ac71a683c9b0d51e9a16153897a2a073cb02f8e38bc3a13d8271e315b

      SHA512

      9f00ec50e495991b44ac9a786b21502bb1f08766f9b6565036c3d278cbf97f763e915942646404889d76ded679af37d05c07c6533ced4e7f2ee5caec32431711

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b7399177a9d40d5d9714d69a069b5e0d

      SHA1

      315a08de945be24ddbcca2bfd55cff4adba48274

      SHA256

      ea2a38ae8e45377c1c1976ac59204e01ba65fe9f5dd1f1f4c0b1c1036e9754b7

      SHA512

      b4dac362b9dfa67db49e7123083004e06cbfdd59438da7e59203f6189a209b2210e943288b7039eb7251c89fb8ef54e742250405f787ba34309163dedd623ecf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f50d000a86c8c670074af2fdda665337

      SHA1

      370a9f44ec2b672e89b7441ca337f77905680aaf

      SHA256

      44e22f4c62b29a07ee38023af628310f3ffea02b4526efbca0ba26f8f5f2d1b9

      SHA512

      16784ca4187ee8ef5bef286dedb4fd8c26c1b3a707a3e68ef17a2badce70d0ec5c167d57e315ba13066bab3d669eb6a2bc8104d1dc46ab095d99ea11502da61b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\sale_form[1].js
      Filesize

      761B

      MD5

      64f809e06446647e192fce8d1ec34e09

      SHA1

      5b7ced07da42e205067afa88615317a277a4a82c

      SHA256

      f52cbd664986ad7ed6e71c448e2d31d1a16463e4d9b7bca0c6be278649ccc4f3

      SHA512

      5f61bbe241f6b8636a487e6601f08a48bffd62549291db83c1f05f90d26751841db43357d7fe500ffba1bc19a8ab63c6d4767ba901c7eded5d65a1b443b1dd78

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\P5GS51DT.htm
      Filesize

      356B

      MD5

      7a7107ef5b0185f624703f0ce3161389

      SHA1

      4e95838c06fbe825cd69feac3f28e91d6ea12d4f

      SHA256

      3750f0f41871b5f6a0669e0fae857a2828ae2a187d8865d6e72f9929c4c00dfb

      SHA512

      d187740861254f65a115040fc5d0a3ffe9553917fc55ebd5989c6605726d749760144a4c208a89a4b655f2c48a7daa6cfddca2f17c9a15f2dcf78bba40d8ea16

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\SJ852GON.htm
      Filesize

      15KB

      MD5

      936dc449e869d68c6151b80933e8c8eb

      SHA1

      2d3da4b2f0187a1373d1015cac05ef569b8107e6

      SHA256

      f2ca7cd79e884dbbfcf311efa30bc17a0c301a0b63ff7e5ba0103ab842f80370

      SHA512

      1265e5caf7188f775c278af5d89bb8a7d0db9eb155831153ebde11923660930190986965340044ef2972025b1af13e7aff07e3bbd8dadf27e52d78f792ef3a20

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\arrows[1].png
      Filesize

      11KB

      MD5

      0cb2e5165dc9324eb462199f04e1ffa9

      SHA1

      9e0f89847ec8a98d98a6020bc5c4ed32b7a48bf8

      SHA256

      67dff0aad873050f12609885f2264417ccdd0d438311000a704c89f0865f7865

      SHA512

      7a285c4a87b9f9093b7ba720d8fe08e0ad7e2ebde9ef8c8d11b70afa08245af8f8a7281c7b3fbe8bad21c3afde4f32634d3bd416822892aa47ba82c12f4b8191

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab8C2C.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar8DD8.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF4838B45EFC01211D.TMP
      Filesize

      16KB

      MD5

      84c034514edd536bea266100059a90d1

      SHA1

      cc38ba4b2c81398f28950a5f7092224cd327bce5

      SHA256

      4aa01c19a6f2e84b86cc6c8e01a90e1f277cbd9b08424c4a7c073d4baff49e5a

      SHA512

      25e43dd1f13f8e210fc659d1a610117198e4e7fc531c8120a1b01ff1418e82b922eae1b8e46a717c6cf0ad09559b6544962c233b3caf8a1dda74886d37a2e119

      Download Submit
    • memory/2308-3-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2308-1-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2308-497-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2308-2-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2308-4-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2308-5-0x0000000000440000-0x000000000045B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2308-9-0x00000000004A0000-0x00000000004A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2308-0-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download