Overview

overview

10

Static

static

3

8be3020f14...9d.exe

windows7-x64

10

8be3020f14...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8be3020f14cf03134b861ba68547d29d.exe

  • Size

    354KB

  • MD5

    8be3020f14cf03134b861ba68547d29d

  • SHA1

    837dce0b3612c9a7c85a1f099671463e55708173

  • SHA256

    2330ffcc2a47cc7af17b448502f6270b6c034140cef57d4b5aee72fd5b687cd3

  • SHA512

    7cb93f9cf3c01666747840366918e78592ae071b65351f61eb9516d3cfad3e8c49a38bcc341711a6ad21875b8d333a8315e4cf3ef4828f536e3b198d428c0f8e

  • SSDEEP

    6144:jap7pQMOtvhiNyVyZHbzU5/JMi+xLus/AWQB9X:IpWhcyIZHnU5RPu4B9X

Score
10/10
gozi3177bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214062

Extracted

Family

gozi

Botnet

3177

C2

wgcjeremy11.band

skelsigabriella.fun

xelectauishanie.email
Attributes
  • build

    214062

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8be3020f14cf03134b861ba68547d29d.exe
    "C:\Users\Admin\AppData\Local\Temp\8be3020f14cf03134b861ba68547d29d.exe"
    1⤵
      PID:2096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2696
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:876
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1648
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6362218c0ab03dd7a1f4b90821ae5cf6

      SHA1

      493835036031781e5e2190c2ba5bf74e4cd7da13

      SHA256

      47553ce094f9a5cf8d96aaf463962c8088c028255c4581284ac789ede8da7a74

      SHA512

      67186ac9cf8a87785418b15728f11b38d736cd57591b4edb3483d9e103cd5f621b7263586832ab1e1aabb0a253c770c6ebe196a735d5e80ca2ab029a5b89a1ee

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      df22452211a07309c35b7c275729d321

      SHA1

      dd16b619f855db500dba860c6ab353af589df996

      SHA256

      6715307d401f18677b0414f74bab2cc317083ade01dc813b059f3accfafebbd6

      SHA512

      3eb7edd082997cdfd6f64b401cc81fdce415b958e7374681c30a6b5ee658a6a9d67e688b9e9df3a7bfb18e1c8dff97595950d051b7aae799655d31ab8f541c86

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8157bd192ec385751608a1256076d70d

      SHA1

      d4935129f513bf51909eac389a2e38cb043242b7

      SHA256

      d4d9cd5ea29ff4ed57ee55be2c3b058667c3bc0857adefde0e770901bd193172

      SHA512

      ec51411e16886516700ee469e2110fdbbf93dab0141ce3c62198ed5b87b7b4e378266bd5d37a0bb1c194dbf6106ea26b0c51563ddd4241d1dff0b4c0a38b6cfa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c26739b4ad4d1dea0ed673ae488df0ce

      SHA1

      0400c189553cba3ebabb35749008765396b96cba

      SHA256

      87ab0293e6030a19490324122fd0c12a6ede5b413c20c7051b6d4bd3f64517af

      SHA512

      08ab82d786de88f387a6e8b66838fd70767c7ff8bd7bf768b0262001e15fab6cc7678992b6ee5f3d643bc912a1bd9b5922eb3cabc1fba5d503ef31da938972ed

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      83790d6ff53cdab7cc4e628bcac77fda

      SHA1

      bd16ac9efd1eabd71b1d7828408aed3b9fcbbacc

      SHA256

      9abf18cf64b4604027ea224eede5e62dfc3742d21ab0028b343ec159018e6f1d

      SHA512

      d91ef9ccbc9e9cc4e57722aed97f5191a4553715330a0570744c331feb411d73a14afd577af63fa86624eda5f941d7b6bc5a2d13bd6ce77791075392ba0d5a3b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      77c84aa62138b3c3f67291e322bbffb8

      SHA1

      1c7478f7c29d046eb761ca81dd2491327f6cfb5f

      SHA256

      610fb14eef8de19299de181e64c9831d83ef93dd711d8c898fdfcea61db53d0a

      SHA512

      ad54532ea54c043fec192bbf8999c7f95d87061fdcf8dbaba6c020a99f20b87d71633b6b0c0b5147e7e5a3aad0aebe22e96446a652e7ba49268b06e41ffee922

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0ff8d48374a1ec78e5147b4283c4964b

      SHA1

      baa7381970875adf1f92724297bbe0b2fdf17774

      SHA256

      a54c996d78347f0530c53025caf7d4199d022767eb106ef1247e7da2a9c46563

      SHA512

      c001ecb5e1b4fb33b499db3f3c0a670141a9dcecfd709bbd32e475cd7ccad55bc0c0ec363f662107050ee2d17cee2c3371ab3b34e44bd56a392fc86c0dad1bdc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      61979c9ee2eaff9b9ba6ff799a62cff5

      SHA1

      e748bdfc687ceee547628603450cdbb63b94d379

      SHA256

      4ee7e84579d852ea15b5e3baf188e7303c7a01edb5db874d055baf59b5635506

      SHA512

      d18794fed9c6b4337538487ab04b39ad698738d85086b92cd966d6e173d47a59f910b23c495d7260ec1dc010f650b2cb528fdee97d907ffae2819847aa6444a5

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\NewErrorPageTemplate[1]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\httpErrorPagesScripts[2]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\dnserror[1]
      Filesize

      1KB

      MD5

      73c70b34b5f8f158d38a94b9d7766515

      SHA1

      e9eaa065bd6585a1b176e13615fd7e6ef96230a9

      SHA256

      3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

      SHA512

      927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab95FA.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar968F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DF8597BCFD2D289DBB.TMP
      Filesize

      16KB

      MD5

      b18eb8d7c7aa41773ba2be5694cdbc33

      SHA1

      3c4e73e1261ecbb4f85fa0ba418ac3f9e40e792c

      SHA256

      cb38442b2a8db3f8e55cce10410d35605b89a58bc7e0f4813861dc99a789b49a

      SHA512

      5cb406c66e75efed6c781735ab2ac71409d983a61784482d1ba9f4de6fbeb0cfb3f0a7c365a72b1d959e64f207d611e806ca9336e1a42193189ceb1880799a6a

      Download Submit
    • memory/2096-0-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/2096-1-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2096-2-0x0000000000260000-0x000000000027B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2096-6-0x00000000002A0000-0x00000000002A2000-memory.dmp
      Filesize

      8KB

      Download