gozi | 964b46902e35f2265ff48533ef541f3783c91b2ae8716a3085b8954c68017954

Analysis

max time kernel
1800s
max time network
1720s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/11/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
Size

348KB
MD5

ff948412f6437a133022c32e7e94e11b
SHA1

bb60858ac2fa2910e21151262d1990bf50b6d42f
SHA256

13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be
SHA512

3595c83f4106cda9a086d6b84f1110e9e97f5cb9d156d0088ec6229b22098b30650108dd6b4ca2ec1d46b108a1db334f741f7ab0e694960be3f5f72aff9194b4
SSDEEP

6144:q7P2fhhwRRWJhL+H/TZ5A9TYcwElgB2EYwxYeEZIGJABN6e:q7gSRWJhSH7tNB2E7xYeEuhD

Score

10^/10

gozi 1020 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1020

line.laslottery.com/htue503dt

line.fastfuel18.com/htue503dt

line.stkingsfunhouse.com/htue503dt

line.lovelacedweddings.com/htue503dt

lansystemstat.com/htue503dt

highnetwork.pw/htue503dt

Attributes

exe_type
worker
server_id
60

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 2 IoCs

pid	Process
1280	comrdemx.exe
2976	comrdemx.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	cmd.exe
2152	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\appmters = "C:\\Users\\Admin\\AppData\\Roaming\\AltTeSvr\\comrdemx.exe"	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 1280 set thread context of 2976	1280	comrdemx.exe	36
PID 2976 set thread context of 1872	2976	comrdemx.exe	37
PID 1872 set thread context of 1424	1872	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comrdemx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comrdemx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	comrdemx.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2976	comrdemx.exe
1872	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1424	Explorer.EXE
Token: SeShutdownPrivilege	1424	Explorer.EXE
Token: SeShutdownPrivilege	1424	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2072 wrote to memory of 2000	2072	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	31
PID 2000 wrote to memory of 2060	2000	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	32
PID 2000 wrote to memory of 2060	2000	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	32
PID 2000 wrote to memory of 2060	2000	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	32
PID 2000 wrote to memory of 2060	2000	13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe	32
PID 2060 wrote to memory of 2152	2060	cmd.exe	34
PID 2060 wrote to memory of 2152	2060	cmd.exe	34
PID 2060 wrote to memory of 2152	2060	cmd.exe	34
PID 2060 wrote to memory of 2152	2060	cmd.exe	34
PID 2152 wrote to memory of 1280	2152	cmd.exe	35
PID 2152 wrote to memory of 1280	2152	cmd.exe	35
PID 2152 wrote to memory of 1280	2152	cmd.exe	35
PID 2152 wrote to memory of 1280	2152	cmd.exe	35
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 1280 wrote to memory of 2976	1280	comrdemx.exe	36
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 2976 wrote to memory of 1872	2976	comrdemx.exe	37
PID 1872 wrote to memory of 1424	1872	svchost.exe	21
PID 1872 wrote to memory of 1424	1872	svchost.exe	21
PID 1872 wrote to memory of 1424	1872	svchost.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1424
- C:\Users\Admin\AppData\Local\Temp\13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
  "C:\Users\Admin\AppData\Local\Temp\13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
    "C:\Users\Admin\AppData\Local\Temp\13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCF2\FAE8.bat" "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\13F8BB~1.EXE""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\13F8BB~1.EXE""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe
        
        "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\13F8BB~1.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe
        
        "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCF2\FAE8.bat

Filesize
112B

MD5
36daf71d55ebc1956414a992c2fd514c

SHA1
d4d81785fa4262dba1f8c4f81a383ff03b2a484a

SHA256
8b2eb9ed6561582ba883121571232d211e863365b395855570bbc36a606d2194

SHA512
5cfba9b43e6fd1d9d8596688badd6b06665dc81107a62cea0f74bb6c065a3f84b1be9c207c39a6b7292023dfc4854655ca0813ba645f560a6d5b20319144bc08

Download Submit
\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe

Filesize
348KB

MD5
ff948412f6437a133022c32e7e94e11b

SHA1
bb60858ac2fa2910e21151262d1990bf50b6d42f

SHA256
13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be

SHA512
3595c83f4106cda9a086d6b84f1110e9e97f5cb9d156d0088ec6229b22098b30650108dd6b4ca2ec1d46b108a1db334f741f7ab0e694960be3f5f72aff9194b4

Download Submit
memory/1424-61-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-58-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-65-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-64-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-63-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-59-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-50-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-66-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-60-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-67-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1424-69-0x0000000004120000-0x00000000041AA000-memory.dmp

Filesize
552KB

Download
memory/1872-48-0x00000000003B0000-0x000000000043A000-memory.dmp

Filesize
552KB

Download
memory/1872-54-0x00000000003B0000-0x000000000043A000-memory.dmp

Filesize
552KB

Download
memory/1872-43-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1872-45-0x00000000003B0000-0x000000000043A000-memory.dmp

Filesize
552KB

Download
memory/1872-42-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2000-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download