gozi | 732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693

Analysis

max time kernel
109s
max time network
114s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll
Size

672KB
MD5

727235afc25234c92c82e99c05a9f0c8
SHA1

a200141f482b8d470e0a3c1a7638a74df9987920
SHA256

732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693
SHA512

94eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9
SSDEEP

12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNR:97EIeewHNIAIiRmQ9ujeNR

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://maiamirainy.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cats32gt = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Comr8030\\Deviclnt.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2936	2152	rundll32.exe	31
PID 2936 set thread context of 1344	2936	control.exe	21
PID 2936 set thread context of 1732	2936	control.exe	32
PID 1344 set thread context of 2612	1344	Explorer.EXE	39

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	rundll32.exe
1344	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2152	rundll32.exe
2936	control.exe
2936	control.exe
1344	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2132 wrote to memory of 2152	2132	rundll32.exe	30
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2152 wrote to memory of 2936	2152	rundll32.exe	31
PID 2936 wrote to memory of 1344	2936	control.exe	21
PID 2936 wrote to memory of 1344	2936	control.exe	21
PID 2936 wrote to memory of 1344	2936	control.exe	21
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 2936 wrote to memory of 1732	2936	control.exe	32
PID 1344 wrote to memory of 2240	1344	Explorer.EXE	34
PID 1344 wrote to memory of 2240	1344	Explorer.EXE	34
PID 1344 wrote to memory of 2240	1344	Explorer.EXE	34
PID 2240 wrote to memory of 2640	2240	cmd.exe	36
PID 2240 wrote to memory of 2640	2240	cmd.exe	36
PID 2240 wrote to memory of 2640	2240	cmd.exe	36
PID 1344 wrote to memory of 1924	1344	Explorer.EXE	37
PID 1344 wrote to memory of 1924	1344	Explorer.EXE	37
PID 1344 wrote to memory of 1924	1344	Explorer.EXE	37
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39
PID 1344 wrote to memory of 2612	1344	Explorer.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\system32\control.exe
      C:\Windows\system32\control.exe /?
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
        5⤵
        
        PID:1732
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\767C.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\767C.bi1"
  2⤵
  PID:1924
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\767C.bi1

Filesize
121B

MD5
58910db4e6beb9df6a7facc8ff9ebd01

SHA1
4ac7a11682951faa9a2158955ec2887f2b54b7b2

SHA256
8da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f

SHA512
ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Comr8030\Deviclnt.dll

Filesize
672KB

MD5
727235afc25234c92c82e99c05a9f0c8

SHA1
a200141f482b8d470e0a3c1a7638a74df9987920

SHA256
732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693

SHA512
94eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9

Download Submit
memory/1344-56-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-31-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-33-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-61-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-42-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-24-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-30-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-60-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-32-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-40-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-62-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-37-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1344-36-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1344-34-0x00000000041E0000-0x0000000004291000-memory.dmp

Filesize
708KB

Download
memory/1732-43-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1732-41-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/1732-48-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1732-47-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2152-12-0x00000000001D0000-0x000000000021A000-memory.dmp

Filesize
296KB

Download
memory/2152-4-0x0000000002140000-0x0000000002AF1000-memory.dmp

Filesize
9.7MB

Download
memory/2152-23-0x0000000002140000-0x0000000002AF1000-memory.dmp

Filesize
9.7MB

Download
memory/2152-1-0x0000000002140000-0x0000000002AF1000-memory.dmp

Filesize
9.7MB

Download
memory/2152-2-0x00000000021DD000-0x00000000021E2000-memory.dmp

Filesize
20KB

Download
memory/2152-5-0x00000000001D0000-0x000000000021A000-memory.dmp

Filesize
296KB

Download
memory/2152-3-0x0000000002140000-0x0000000002AF1000-memory.dmp

Filesize
9.7MB

Download
memory/2152-0-0x0000000002140000-0x0000000002AF1000-memory.dmp

Filesize
9.7MB

Download
memory/2612-57-0x0000000001C40000-0x0000000001CE4000-memory.dmp

Filesize
656KB

Download
memory/2936-51-0x0000000001C00000-0x0000000001CB1000-memory.dmp

Filesize
708KB

Download
memory/2936-14-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2936-20-0x0000000001C00000-0x0000000001CB1000-memory.dmp

Filesize
708KB

Download
memory/2936-15-0x0000000001C00000-0x0000000001CB1000-memory.dmp

Filesize
708KB

Download
memory/2936-19-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2936-28-0x0000000001C00000-0x0000000001CB1000-memory.dmp

Filesize
708KB

Download