Overview

overview

10

Static

static

5

13f8bb1af7...be.exe

windows7-x64

10

49b84085b7...c6.exe

windows7-x64

10

639a86559b...3d.exe

windows7-x64

10

Счет �...15.scr

windows7-x64

3

Счет �...08.scr

windows7-x64

3

inquiry.scr

windows7-x64

9

c0cf40b883...3a.exe

windows7-x64

8

e49778d20a...73.exe

windows7-x64

8

ПРЕТЕ...Я.scr

windows7-x64

5

карто...я.scr

windows7-x64

5

Analysis

  • max time kernel
    300s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe

  • Size

    507KB

  • MD5

    6e352a6e96db293f487d1c1996f7ca60

  • SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

  • SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

  • SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

  • SSDEEP

    12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

Score
10/10
gozibankerdiscoveryisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
      "C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
        "C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEFC\5F7E.bat" "C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe
              "C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1044
              • C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe
                "C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2224
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:1004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BEFC\5F7E.bat
    Filesize

    112B

    MD5

    d063eb1e0703df75ad9d98f1726b1183

    SHA1

    c158b6dec4ea081b4ef840b8b31842f3ee2f7d38

    SHA256

    9d8c7a6262b9777a56bc18a602320b3af8a55d19fa8ae83c218b4ecf8c980818

    SHA512

    9fdbd6fca19507def0786cc3128856799396b9402ab0574080338b4f3682bc0d3929411176ff004aab91208695604af3d0000649408287516a0d6bfd0f1f0b3c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\comrdemx\appmters.exe
    Filesize

    507KB

    MD5

    6e352a6e96db293f487d1c1996f7ca60

    SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

    SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

    SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

    Download Submit

  • memory/1004-61-0x0000000000510000-0x0000000000614000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1004-56-0x0000000000510000-0x0000000000614000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1004-53-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-70-0x00000000069C0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1164-71-0x00000000069C0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1164-72-0x00000000069C0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1164-73-0x00000000069C0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1164-62-0x00000000069C0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2224-60-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2224-52-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-27-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-6-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-8-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-17-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-16-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2824-14-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download