Overview

overview

10

Static

static

5

0442cfabb3...ab.exe

windows7-x64

8

c0cf40b883...3a.exe

windows7-x64

8

cry1.exe

windows7-x64

8

cry2.exe

windows7-x64

8

cry3.exe

windows7-x64

10

cry4.exe

windows7-x64

10

cry5.exe

windows7-x64

8

cry6.exe

windows7-x64

10

e49778d20a...73.exe

windows7-x64

8

inquiry.scr

windows7-x64

9

Накла...15.scr

windows7-x64

3

ПРЕТЕ...Я.scr

windows7-x64

5

Счет �...08.scr

windows7-x64

3

карто...я.scr

windows7-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    4.0MB

  • Sample

    241105-m91yhasnck

  • MD5

    61c19d7ab4c80c40b88c6f8744127b68

  • SHA1

    619affa2f72807e549b49fe9661db57716d2960d

  • SHA256

    a6bd6ddfd9f1f5a6afc1a681707d97a29d2c89bdebf34a58117292f46df9f5c7

  • SHA512

    76b8fc7eaa8e7363551be38f96dfa6d267eba061f4162514b117fdad382dcbf0c74ed07bc5b22b01036975fba79d96fb276cfd5756945cac6bf094ea6948639e

  • SSDEEP

    98304:WyYYP+lvpqEBMZKCpWU1Kq5dGlq6IZRGlqM:ovEE5CGjs8sM

Score
10/10
gozi1020bankercredential_accessdefense_evasiondiscoveryexecutionimpactisfbpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Extracted

Family

gozi

Botnet

1020

C2

line.laslottery.com/htue503dt

line.fastfuel18.com/htue503dt

line.stkingsfunhouse.com/htue503dt

line.lovelacedweddings.com/htue503dt

lansystemstat.com/htue503dt

highnetwork.pw/htue503dt
Attributes
  • exe_type

    worker

  • server_id

    60

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

    • Size

      370KB

    • MD5

      2aea3b217e6a3d08ef684594192cafc8

    • SHA1

      3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

    • SHA256

      0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

    • SHA512

      ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

    • SSDEEP

      6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

    • Target

      c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe

    • Size

      370KB

    • MD5

      a890e2f924dea3cb3e46a95431ffae39

    • SHA1

      35719ee58a5771156bc956bcf1b5c54ac3391593

    • SHA256

      c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

    • SHA512

      664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162

    • SSDEEP

      6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral2

    • Target

      cry1.exe

    • Size

      370KB

    • MD5

      a890e2f924dea3cb3e46a95431ffae39

    • SHA1

      35719ee58a5771156bc956bcf1b5c54ac3391593

    • SHA256

      c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

    • SHA512

      664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162

    • SSDEEP

      6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3

    • Target

      cry2.exe

    • Size

      370KB

    • MD5

      a890e2f924dea3cb3e46a95431ffae39

    • SHA1

      35719ee58a5771156bc956bcf1b5c54ac3391593

    • SHA256

      c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

    • SHA512

      664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162

    • SSDEEP

      6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral4

    • Target

      cry3.exe

    • Size

      348KB

    • MD5

      ff948412f6437a133022c32e7e94e11b

    • SHA1

      bb60858ac2fa2910e21151262d1990bf50b6d42f

    • SHA256

      13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be

    • SHA512

      3595c83f4106cda9a086d6b84f1110e9e97f5cb9d156d0088ec6229b22098b30650108dd6b4ca2ec1d46b108a1db334f741f7ab0e694960be3f5f72aff9194b4

    • SSDEEP

      6144:q7P2fhhwRRWJhL+H/TZ5A9TYcwElgB2EYwxYeEZIGJABN6e:q7gSRWJhSH7tNB2E7xYeEuhD

    Score
    10/10
    gozi1020bankerdiscoveryisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      cry4.exe

    • Size

      507KB

    • MD5

      6e352a6e96db293f487d1c1996f7ca60

    • SHA1

      887a357a96b9dbb428b6b776a3ec8ca8de746f18

    • SHA256

      49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

    • SHA512

      bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

    • SSDEEP

      12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

    Score
    10/10
    gozibankerdiscoveryisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      cry5.exe

    • Size

      329KB

    • MD5

      adb5c262ca4f95fee36ae4b9b5d41d45

    • SHA1

      cdbe420609fec04ddf3d74297fc2320b6a8a898e

    • SHA256

      e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

    • SHA512

      dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

    • SSDEEP

      6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral7

    • Target

      cry6.exe

    • Size

      511KB

    • MD5

      afb4846bd287f31e6297cb4095aece65

    • SHA1

      b92d682a800d82ff6e980deae88f6cb7e048c11d

    • SHA256

      639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d

    • SHA512

      8f5b3062a7f4faada34001bbe8510235d20b3d507ee0858ef23db92853f31a3075c60e37738a93e1385995199c9d99dccb7e547247fc9af5b8a8f3557d03d070

    • SSDEEP

      12288:nTY7/WAuLAOOxsgfj40bDKg0m7t4is8jYar:kusO+RDKgJBnsgYa

    Score
    10/10
    gozibankerdiscoveryisfbpersistencetrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe

    • Size

      329KB

    • MD5

      adb5c262ca4f95fee36ae4b9b5d41d45

    • SHA1

      cdbe420609fec04ddf3d74297fc2320b6a8a898e

    • SHA256

      e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

    • SHA512

      dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

    • SSDEEP

      6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn

    Score
    8/10
    discoverypersistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9

    • Target

      inquiry.scr

    • Size

      326KB

    • MD5

      f4d9b484375b2cb5413c6425dc75e681

    • SHA1

      4e90a435759d6f2dffebba6e26f196ef88891e20

    • SHA256

      8cc1b94b6d5df9bc92e500a8c52877f3fdaeeba7862756a82c36fa363ae22ade

    • SHA512

      b47b88b38c8f505dfda8f80ba8f5175ab607a032a6a84e47158f80cd7769cffd5a2a579b12317167abdb9d1a0bf4c922d98e8b18566f61ad417a0c76cf0d3d50

    • SSDEEP

      6144:tcExBVCbiKM3zvdbvgmDAz2z9HViJocXZY9ltuSuEz4qQcZc:aEfVw8DvdLgYA4gXOuFEU3

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      Накладная для 1736 от 26.08.2015.scr

    • Size

      666KB

    • MD5

      431dec6895f8bc58b30999dbf42b16b3

    • SHA1

      31627f1bd918b8dc768ca49efc940700c9e478f3

    • SHA256

      78712a327850ff677ab0a4a299ded9b05f3bd7680a3d5997729555de64d57b45

    • SHA512

      922111bee58a2b93b9ca84b049050659321c1ff0e2751155fa71ebf38576336289e25b9431c38cfaa67af311ebd5e685d4f300ce3eb138cf6f50f818479e6e00

    • SSDEEP

      12288:1XmwRo+mv8QD4+0N46OGHhikTJ87dd4fP+UVp5158fQ6asdgqislMo8GaJ:1X48QE+UQOXu4XrVp/X/sjllMw+

    Score
    3/10
    discovery
    behavioral11

    • Target

      ПРЕТЕНЗИЯ.scr

    • Size

      231KB

    • MD5

      6c01e0f297debe4606cf2cab510c38ab

    • SHA1

      cea2a8e2f75a027fbbcada3aae952247009cdfbc

    • SHA256

      d228eaf1e691f993be276129421583737f85185eb8f04695db7707dc3ac175fb

    • SHA512

      c56ec26ccde738aef65d35e8adbb5f871194716f23b90532d9ec397f2ea2788b8b186eb2787e166eb2e898a579081525a0ea806dbb1cb0b3ee7e49af7ad97b50

    • SSDEEP

      6144:THJih6+NSgZ7OT1Oq1qbS1x9pAxEP3vgBHK:TpWRZ7OJODuq6/

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral12

    • Target

      Счет на оплату от 26-08.scr

    • Size

      666KB

    • MD5

      431dec6895f8bc58b30999dbf42b16b3

    • SHA1

      31627f1bd918b8dc768ca49efc940700c9e478f3

    • SHA256

      78712a327850ff677ab0a4a299ded9b05f3bd7680a3d5997729555de64d57b45

    • SHA512

      922111bee58a2b93b9ca84b049050659321c1ff0e2751155fa71ebf38576336289e25b9431c38cfaa67af311ebd5e685d4f300ce3eb138cf6f50f818479e6e00

    • SSDEEP

      12288:1XmwRo+mv8QD4+0N46OGHhikTJ87dd4fP+UVp5158fQ6asdgqislMo8GaJ:1X48QE+UQOXu4XrVp/X/sjllMw+

    Score
    3/10
    discovery
    behavioral13

    • Target

      карточка предприятия.scr

    • Size

      185KB

    • MD5

      f1b11de8044720671240999846fe5e69

    • SHA1

      03ae6c1090cd6392365fe9d4cfc061bb626688ad

    • SHA256

      37f6ccf41a6f66008651c0d272090da64b3b28f6970a9404cb5ecf886ea776b1

    • SHA512

      8c4bd6b406a1e2edf3f6bb9bb6b3debae4b6b312e474b4a9bedb93b097a45d193a4a3d6a0119e2ade467ced262ef9941e4c578720d227b9be58a8cdb44074894

    • SSDEEP

      3072:R/JLIuc9pgKqUsZ+tKbewtr2ab+/MThp5rTTiLIQ1mKCRhgvpIXljSQ1ZdBc:R/JFutWDWabJ1PrTeLD1FyhgvpIXlV1P

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

upx
Score
5/10

behavioral1

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral2

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral3

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral4

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral5

gozi1020bankerdiscoveryisfbtrojan
Score
10/10

behavioral6

gozibankerdiscoveryisfbpersistencetrojan
Score
10/10

behavioral7

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral8

gozibankerdiscoveryisfbpersistencetrojan
Score
10/10

behavioral9

discoverypersistenceransomwarespywarestealer
Score
8/10

behavioral10

credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral11

discovery
Score
3/10

behavioral12

discoveryupx
Score
5/10

behavioral13

discovery
Score
3/10

behavioral14

discoveryupx
Score
5/10