Overview

overview

10

Static

static

10

1064209b82...d9.exe

windows7-x64

10

1064209b82...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe

  • Size

    3.0MB

  • MD5

    da71f21e17cbdbaa61559208f749b05a

  • SHA1

    25bbda63d584499839fc74176347eba9123a5aec

  • SHA256

    1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9

  • SHA512

    39af3c295fd18e912f94fb0547204f0007c1aab60086f0f087eb0a68f37027a8587b5c229f497a1383d1b1ee813bb27f7960de8e65e088e8ff4e2fbcf2b88815

  • SSDEEP

    49152:NM6QvSFjoSiwYdqtQwx4HIkfBusKoXMhQqcZocr9ZRKDW9YMNf0P0ZUKLo/l:NMFwESiPd+mok6hQroCKDWWMxUKLo/l

Score
10/10
gozibankerdiscoveryisfbtrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe
    "C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe
        2.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe
    Filesize

    1.6MB

    MD5

    a99128027215ad1dbb57216f1609bd2b

    SHA1

    aa945b1d72e6593d6961f2186a99dacf40910153

    SHA256

    8c9345cd34b8f57a49574df8131f44b7d643edd20a653cd51f508dafaad0c4de

    SHA512

    391d3dfbbbcc2f22d7fab75572bf5fa6876e0703ad688fb00a293b1df4fae53077c64139d4a2f14fbe9d088595974fde91d4da7137f5c91fda36a6eb89a2176c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat
    Filesize

    48B

    MD5

    a4d54825c48a32efc53e34ea0f588d1c

    SHA1

    cd5815db470cf3af4d6ce658151eb24fef1c664f

    SHA256

    a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39

    SHA512

    74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b

    Download Submit

  • memory/2172-0-0x0000000000400000-0x00000000005B5000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2172-10-0x0000000000400000-0x00000000005B5000-memory.dmp

    Filesize

    1.7MB

    Download