gozi

Sharing

Copy URL

Twitter E-mail

General

Target

ItroublveTSC-master.zip
Size

5.4MB
Sample

240426-a3z2eage79
MD5

db80af2964e34f8a0e2408a1f7acdcc6
SHA1

7cb7e4f60942fd3e0320fcc43a8ec5e60f6c3652
SHA256

8d6cb8b53bb014815990250638364db29445ef2d2db6eab813933f8f12e60ff4
SHA512

7316349e856ba84abca676fc79649495701251cd51f01e6cd508cbc6f7ba61c1b705dd38e4b89ef26bafc134d0e1a02f463823071fd4f3679b1c4f926ac033c2
SSDEEP

98304:8vb6B9+Hnroi7e0eceeP4dpsuFuaNzbsKSJm3kL7lyeI54hlIhHDs0GCHC2Pd45E:kb6B9+Hroi7e0eccOuFumvs9c3ggx2he

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

zaidtheboii-50153.portmap.host:50153

Mutex

VNM_MUTEX_fNWmZ9wa8oprRXUo73

Attributes

encryption_key
PJRTtGrfOi1c09c0GCYT
install_name
OneDrive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft One Drive
subdirectory
Microsoft One Drive

Extracted

Family

gozi

Targets

- Target
  
  ItroublveTSC-master/ItroublveTSC.exe
- Size
  
  2.0MB
- MD5
  
  7c2da2ae36228b8b66ec5e5029e90d08
- SHA1
  
  d636baf89fd305a1f694611097ac6e7bcb1f244c
- SHA256
  
  c6820f426b28b93295ca3b768780e8b372424fb72e94b5d0c094b030f53d4721
- SHA512
  
  93cbc698211b0ab0f96ab3f0eb8d393bcd04580418e08fc6df9b935a7cdd091b619a0edab4771b4c887264b0eef6846e6e08a7be24a8681848a1885206a29960
- SSDEEP
  
  49152:DL+qgtiXBVLcHD/QmJqRsVEzCeePMAnUD:OzcBVYHDjcyVMukAUD
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  ItroublveTSC-master/bin/Binaries/RtkBtManServ.exe
- Size
  
  2.8MB
- MD5
  
  88ab0bb59b0b20816a833ba91c1606d3
- SHA1
  
  72c09b7789a4bac8fee41227d101daed8437edeb
- SHA256
  
  f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
- SHA512
  
  05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
- SSDEEP
  
  49152:AsmhnqAs9pJc0dnKh+Q0N1rs+vIUSg+6+8ohnRh1Na1OKM6nYAKhFQpSH3Oh5gxr:6qXpy05Q0N1rsYSZ6BoXh1kkypSH3Ohs
Score

10^/10

gozi banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
behavioral3 behavioral4
- Target
  
  ItroublveTSC-master/bin/Program.cs
- Size
  
  6KB
- MD5
  
  fd4749e21c4ff9db9fa7ec5505aac83e
- SHA1
  
  1ec11f0c7704c738dbf25c12e8a0a0093acde36f
- SHA256
  
  b8b4e6b631cb1aac7f20c3a9f0c4f1869096756a9a30159504b62804bfa14ac6
- SHA512
  
  e8c69f6b71d1e82623d147a77d15327b93ae45820082220ba06487820bb12cfffb97ae9af75c7e4d59c049832e0dcdcf7fce1cd55af89799f84f40fe24bb99dd
- SSDEEP
  
  192:CaS0ztOu1JSKM1DC+KCqbVNS+SgG2KJKimZ9r9qqlJ6nykFwwj+wdyb:CaSkQ1Deb2+Sg8Mnl1
Score

1^/10
behavioral5 behavioral6
- Target
  
  ItroublveTSC-master/bin/Properties/Resources.Designer.cs
- Size
  
  2KB
- MD5
  
  ceb385ce0911f282181e5d6405d17cd8
- SHA1
  
  f7cafcd051d60de46138b39ecc637f2b3d559630
- SHA256
  
  7aba223f119c8e4526831561c70d9ea7dd5260027f4e74fcba01392756619caf
- SHA512
  
  68552c19c59a13dae3e4095b4ae629d1c470ee1c1a05228454a86caa1dd4732ae96dc18c71eb63182c6bec7d5632b0a3f8db450a798301a90d0a938169c955c4
Score

1^/10
behavioral7 behavioral8
- Target
  
  ItroublveTSC-master/bin/Properties/Resources.resx
- Size
  
  5KB
- MD5
  
  c07716633f086d91759ae32a18996a1a
- SHA1
  
  bf3383c20acf6e64ce49f120938456161e5f6cb9
- SHA256
  
  4e124f5a7694ffe813c60601b1b73c53e47536b1f1c0e798d4d55bfc2ca3774f
- SHA512
  
  c6ad0ec603ff69d2d1b787db9426f29d44ea1ba45cf1d2b7ec41cc2bd6d5c93af8d2299139cc1c5d10d56718f36daa37d544f8d5411fad91a72efc2e70454cdf
- SSDEEP
  
  96:ECf+lbD5X5LPXCazYV5Lv6K6uOidfaxwsxuUPFE3qxdRMvDTursrbLAy202W:Zf+tLPfYnLvFVOiFQaUR6
Score

1^/10
behavioral10 behavioral9
- Target
  
  ItroublveTSC-master/bin/obf/CLI.exe
- Size
  
  30KB
- MD5
  
  a6f83da2bfe041d92ff79b9c238ed72e
- SHA1
  
  ac12c6e8973f0f64d1395523fdcfcd0d73856128
- SHA256
  
  0b997165e348b17658bef1e869881c37c79c2a9bb26e132ac4141eefd5912652
- SHA512
  
  9ce5c2825848d360a07c9555bd940ceaf9c598dbf55f99fa783bbc47ca55dc375f562f29dc94e767ccd0f94120e37be90ad055ea22d353c283b0d3992df36e84
- SSDEEP
  
  384:AtQiJWE1r0K0vYzZBgB1P5AkWFq7UQweltaJVuTlVKMwW7nj8VtDVth7WAl9MWod:biJWE1QzvYz/K1yXqYQ8VuAwbfVogxq
Score

1^/10
behavioral11 behavioral12
- Target
  
  ItroublveTSC-master/bin/obf/Confuser.Core.dll
- Size
  
  186KB
- MD5
  
  6f3e120baa644b4dc085a3dd3e183bcf
- SHA1
  
  3f7dbdd082447910be5b31cc80ca5cb64f6339c7
- SHA256
  
  4742104d8e47541ed998d22321717d288cd62682b56f56f4a69dc9bd99c9a6fb
- SHA512
  
  b42cc08f9e32f0e5ac760bc0af517d2b0e7bf469421faead3d33e7e07d24d538046ea912badc196f83badb5b1dc07b4f0141b8a09723dedf7c16628075963812
- SSDEEP
  
  3072:GZ9cy/5Jxj5XhlgUmSae1DxMRqXYjKO02cDTi+P1sR+Fna1R1RjYdfc:GZ9cyhJ95XhlgUmSaevwj1pcDH/uL
Score

1^/10
behavioral13 behavioral14
- Target
  
  ItroublveTSC-master/bin/obf/Confuser.DynCipher.dll
- Size
  
  48KB
- MD5
  
  6ebc90e77623826e71ded623a296660b
- SHA1
  
  4fa7b0dc7582e03a7af6f41cba70b41f3aa5df15
- SHA256
  
  cdad0a76f0d3f3e73fcdc6e5e6d98b0e88adcc2353c54344375b80197a86fcf6
- SHA512
  
  a40dea9f56ce29c6d7c3022d6b09b164dfbc2c294b5ebf7869504cf9010d2dc844a371c6d753afe8851b1eb82e7373736bd68a1430a826ded3b74ca3628ccab2
- SSDEEP
  
  1536:yV4R9J9YnzpSx6dZV0c+NQJOwEhy8bb30aatJILhopNfmxr:yLnzpSx4ZV0c+NQJOwEhy8bb30rJuhoI
Score

1^/10
behavioral15 behavioral16
- Target
  
  ItroublveTSC-master/bin/obf/Confuser.Protections.dll
- Size
  
  205KB
- MD5
  
  a23e80a09e14a6c1ffa3c89cd7af7229
- SHA1
  
  b1d45de9673e85b255096ec54e513a06212e4f15
- SHA256
  
  a5b10ee104e225fbcdfa9f8024701674d9a4556f4e59b90a90a972724ba15bb9
- SHA512
  
  0ba96fce7702829d44e7da9b9df3da0b0655098f719c0c25f683f7760ab4b819d079a2fff04fdb7cd5d8dfb7a571689b070a2a5358d9eee930a56c4c9605db44
- SSDEEP
  
  6144:xAF9fU+KCm9QQmNBCrCmnTH3/JopinC5:xS
Score

1^/10
behavioral17 behavioral18
- Target
  
  ItroublveTSC-master/bin/obf/Confuser.Renamer.dll
- Size
  
  310KB
- MD5
  
  e1656b7bfd3b7c9634f72c4f9085d226
- SHA1
  
  46977837049a8009e18f096d2531ae2fed02ab42
- SHA256
  
  4ce9a9f15724b17da414c4aad7b7bfbba0fd1b80e3d0b8452551d5f79fd32b50
- SHA512
  
  f8c4aa1cbfb9bb78eaa35608815079216f88c7d74185112d76e0125946cf39d32ff7cd60796223764daca624b03d79febd90ac342dfc315579a1d57eea5d3687
- SSDEEP
  
  3072:89nS3lQOaZ1rk8g6t8ZSv05Wa59XVGcxnLa3+qnOw9n/La9pwtgSfHxE1thSv3Vk:89SijrhZLg1r12BOw9n/zJvNjL
Score

1^/10
behavioral19 behavioral20
- Target
  
  ItroublveTSC-master/bin/obf/Confuser.Runtime.dll
- Size
  
  49KB
- MD5
  
  42e45fa8bb26246ed3b3c2760e782912
- SHA1
  
  fa49baf5f55cc5af7eed27b9547305780a7e4ddc
- SHA256
  
  c8bcbe8c706659824ed001caf0be23b8470a99c0391a23c419884ad93df3cce0
- SHA512
  
  f89c328bff75a25a636d0567f9dd0df00494c3156b24fe029677368a349367bea9b3bd0571a79eae94112e694161c1658fc8e8e25076a8b9cb7c4e539944fd21
- SSDEEP
  
  1536:E/XNRvuA5rTGZcIDEG3mmmmH/flJDnJod:YXDZYSGfLrJQ
Score

1^/10
behavioral21 behavioral22
- Target
  
  ItroublveTSC-master/bin/obf/Teen.dll
- Size
  
  45KB
- MD5
  
  fb9d14387b89b30606d094ae8cd93ea0
- SHA1
  
  8f21ac1b24fe1072a9d9ad17eabc738bac23ef58
- SHA256
  
  68eac14ca256f9871cc85ffc77c86b1d6378e6c900dff34f8b697be07b77446a
- SHA512
  
  17e9af55a1967884645e5b30abed374b51c28e173160e369b422ef385a1de9bdb76ef38c740e905629932481421d213ac90589d1bc1c1901c312c3271c75a63e
- SSDEEP
  
  384:6bcg3oHfkx4rxym37Bg4X0HuViEIXPdzJQKDckw6NhU0Pe4oannzXgvijJFWMHJs:lLSDDzgvijTlHJxKbBCxPULcBVDDQ
Score

1^/10
behavioral23 behavioral24
- Target
  
  ItroublveTSC-master/bin/obf/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  e61bad0331819ed63ca3b0d537f7e1a1
- SHA1
  
  30c2b5c5e0a1564b88349fe952abdaf19f500c7d
- SHA256
  
  d8fc78217493febe82670c5a93feb85ab86fc6a0387abcb6e9165e0c0bb97000
- SHA512
  
  fba44931b1af1f23bb0bf011b73378a1a76cacecf53e6d48de5e027742961f5e76add9d5a11410a203b8ec6026cfaacab0dbd5f1bb91f58bb3447dacf6a24661
- SSDEEP
  
  12288:sUHb3PIKxNNhFNxxq6iNq3JaxOCDmuGnjlHesWnuRyKh0ZUvz/sPv7fIFZ:lKzkuWhHDWKMA/sPv7fI/
Score

1^/10
behavioral25 behavioral26
- Target
  
  ItroublveTSC-master/bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/net46/System.IO.Compression.ZipFile.dll
- Size
  
  24KB
- MD5
  
  dcda916372128f13ada8b07026c1b3e7
- SHA1
  
  99d6c187de8510206a93d2eed9c65e65e0c86e72
- SHA256
  
  b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a
- SHA512
  
  d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9
- SSDEEP
  
  384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa
Score

1^/10
behavioral27 behavioral28
- Target
  
  ItroublveTSC-master/bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/netstandard1.3/System.IO.Compression.ZipFile.dll
- Size
  
  28KB
- MD5
  
  65306815825ea8652d0ee2163d123d14
- SHA1
  
  e8eaee6e9ae5fcdbd19b056856ba0d8424243e28
- SHA256
  
  db7cb3cf25d563e85a287a77d0c9addf6dbc1907475330a173f4cccc1ca0e6ed
- SHA512
  
  cd649101439099ce741d4c1a1334ce8bd9283d6531585047b64138b533e742808d1097e9419a3936e4939e1d4193488e0451291f4d56d70931e2d87a04239646
- SSDEEP
  
  384:Our1AxpitMy7y4eCgW3mWoQ7q0GftpBj3zDvERHRN7lX1l78oWCmtPa:xr183CziprEBRzek
Score

1^/10
behavioral29 behavioral30
- Target
  
  ItroublveTSC-master/bin/packages/System.IO.Compression.ZipFile.4.3.0/ref/net46/System.IO.Compression.ZipFile.dll
- Size
  
  24KB
- MD5
  
  dcda916372128f13ada8b07026c1b3e7
- SHA1
  
  99d6c187de8510206a93d2eed9c65e65e0c86e72
- SHA256
  
  b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a
- SHA512
  
  d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9
- SSDEEP
  
  384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Looks up external IP address via web service

Drops file in System32 directory

NirSoft WebBrowserPassView

Nirsoft

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32