Overview

overview

10

Static

static

7

KMSAuto Li...64.exe

windows7-x64

10

KMSAuto Li...64.exe

windows10-2004-x64

10

KMSAuto Li...to.exe

windows7-x64

1

KMSAuto Li...to.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KMSAuto Lite Portable v1.3.5.3/KMSAuto x64.exe

  • Size

    1.6MB

  • MD5

    91138712e5e691a39175f02f145681e6

  • SHA1

    43a00a96fa01e9d4b38b50694dc09ddc3e54939b

  • SHA256

    da87f54817fa427a78a3376e887013c8981e92e4394edaa210bc6557a6ca6930

  • SHA512

    fdb1b99c51ca5a4a3910c46a276d54833161e427d97a9f65b7ad3b4732b4f36fba90ff71f9895cf128f863c903f6ac15e82dd224277bf17ccc5003f2bd6d2ff3

  • SSDEEP

    49152:GG7X7Xfq0Xdqm66MzsNjGgnwuqL6DDf8T:9DjRdqm6LWKgne0s

Score
10/10
gozibankerisfbtrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite Portable v1.3.5.3\KMSAuto x64.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite Portable v1.3.5.3\KMSAuto x64.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
      2⤵
        PID:1968

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2320-0-0x0000000140000000-0x0000000140607000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2320-1-0x0000000140000000-0x0000000140607000-memory.dmp

      Filesize

      6.0MB

      Download