Overview

overview

10

Static

static

5

13f8bb1af7...be.exe

windows7-x64

10

13f8bb1af7...be.exe

windows10-2004-x64

10

49b84085b7...c6.exe

windows7-x64

10

49b84085b7...c6.exe

windows10-2004-x64

10

639a86559b...3d.exe

windows7-x64

10

639a86559b...3d.exe

windows10-2004-x64

10

c0cf40b883...3a.exe

windows7-x64

8

c0cf40b883...3a.exe

windows10-2004-x64

8

e49778d20a...73.exe

windows7-x64

8

e49778d20a...73.exe

windows10-2004-x64

8

inquiry.scr

windows7-x64

9

inquiry.scr

windows10-2004-x64

9

Накла...15.scr

windows7-x64

3

Накла...15.scr

windows10-2004-x64

3

ПРЕТЕ...Я.scr

windows7-x64

5

ПРЕТЕ...Я.scr

windows10-2004-x64

5

Счет �...08.scr

windows7-x64

3

Счет �...08.scr

windows10-2004-x64

3

карто...я.scr

windows7-x64

5

карто...я.scr

windows10-2004-x64

5

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe

  • Size

    507KB

  • MD5

    6e352a6e96db293f487d1c1996f7ca60

  • SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

  • SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

  • SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

  • SSDEEP

    12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

Score
10/10
gozibankerdiscoveryisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
      "C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
        "C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\FC78\FE3C.bat" "C:\Users\Admin\AppData\Roaming\authtall\authCore.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\authtall\authCore.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Users\Admin\AppData\Roaming\authtall\authCore.exe
              "C:\Users\Admin\AppData\Roaming\authtall\authCore.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2864
              • C:\Users\Admin\AppData\Roaming\authtall\authCore.exe
                "C:\Users\Admin\AppData\Roaming\authtall\authCore.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2680
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FC78\FE3C.bat
    Filesize

    112B

    MD5

    d96cc54d4bccfdfce75e9d14dae04d41

    SHA1

    8380ae7515bb836ed8f005221cbbc49a95bd3577

    SHA256

    8adc31338814c438767e5ef83e1b888e1ecba7ab902708e78b40fbe01fa50623

    SHA512

    01594c1891ba35aee49a25f5a6a2e694cee70cfc3511ad7cc25021672cc9147cc79c633b5d2a0ce703b1047f63a66bda0d6ad64bfa091a23aba68430acfed7f0

    Download Submit

  • \Users\Admin\AppData\Roaming\authtall\authCore.exe
    Filesize

    507KB

    MD5

    6e352a6e96db293f487d1c1996f7ca60

    SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

    SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

    SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

    Download Submit

  • memory/1192-70-0x0000000005270000-0x0000000005374000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1192-71-0x0000000005270000-0x0000000005374000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1192-73-0x0000000005270000-0x0000000005374000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1192-72-0x0000000005270000-0x0000000005374000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1192-62-0x0000000005270000-0x0000000005374000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2280-54-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-57-0x0000000000470000-0x0000000000574000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2280-66-0x0000000000470000-0x0000000000574000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2292-3-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-27-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-14-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-16-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-6-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-8-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2292-17-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2680-53-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2680-59-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download