Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe

  • Size

    265KB

  • MD5

    048df8f057b4ec78233640a09dd80e9b

  • SHA1

    de16d030b3f5b067e5663eb1d75d2498c00d6817

  • SHA256

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890

  • SHA512

    d0cd4ce4c9d930866e269d9f44d44f79d24811d47cc700433c3611a287585b72fdc6d0ab38d07a1c3b76533d5ffd7756248d5ef68b7fe5c5218d631521d5e1b8

  • SSDEEP

    3072:4OUEH7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:B7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m

Score
10/10
gozi3170bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217161

Extracted

Family

gozi

Botnet

3170

C2

oozoniteco.com

cetalischi.com

duvensteut.com
Attributes
  • build

    217161

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe
    "C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2508
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:472077 /prefetch:2
      2⤵
        PID:2004
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1632
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3024
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5bc7f71ff16765dc7143c661fd72debc

      SHA1

      9323fe9a2934c73d61af6df0bb64ce853375bf06

      SHA256

      594b8965acb066f0d80dec115b477be69301c0a29b50d860b0a1eb381f737a95

      SHA512

      f87bc06faeb90a7b0fb9320911c91ab0f02f7e4c129c54956647413888c0333b15d5ee7f63f592f0b06ad687782e2e2d56fe597a346cb4439ed908e6a3e138b5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      712e4af0dd16745e2982c2e0a4a272ea

      SHA1

      292d9651c138b7b88e3af25eb15d5963d2c8c778

      SHA256

      1687fe5e7931fdb5da559dbc86f4939a0441726f15d9632c7a5e18bce9fe7141

      SHA512

      4f01e65ade1590dc1767dd4683c2654372d02f992ce3b68281f68cfb04e137f28ece668db0da015c0bac55e87106b460798bddaa443599607808cdcff6a60dae

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      689b8b79e77be311259d651803dd2b86

      SHA1

      5ad8d44d38a4bbaf4ed26481782fcaf5fa01c2dd

      SHA256

      8a3c7a9a612749c9b6fba32e4b103cd91a4a0ff710924c91338a948ed98abdd7

      SHA512

      69a99691a29de624f6fce6f797949fb071d12c649c32c5c81b8efcbd0f52c5cc2e985bb3cbd347db26f5cfa522a2e64a8c4ab7f30f88b383bc62d38fb769523f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ab445dca8e25adca3eb6b7f9372be141

      SHA1

      a9667c76fb5be24bd9d27c44f69871879307014a

      SHA256

      bc6d4044394ddf351df94799d85b2d9aaae726eefc841167322a280a12c0a85b

      SHA512

      c85589452acfd3d3e5fb9f5c1fd918da6645faa13744207d18124bee174a57a409398a77c034e6ed1aebb9773f069eafd5dd79240e29482c2002d2e729ad70b9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      68fa3411c103674e48392ce1bba54b63

      SHA1

      d0faf9c743697df8f401b035ee1243dc694e017a

      SHA256

      c9b0d7efbce06ad67643ef98bee37c7c6b3f5710a79c810647f49163e2d0e86e

      SHA512

      0f040e1ec0327d5ce379f1f89290a9a96462bb6a152394749bf4f8f8362000373cea938351c69f5c870cb413a5781d208b4fcc2cc8ce50b92b9000f7049ea88d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a24b5ce32ccb5d178f6c4b75d9fe5c49

      SHA1

      45837e9aa7ef98d83c463ee4285a3e9a2fb34f77

      SHA256

      65f7778d7da9527c41997431a5323489122196d9fbabef1e8d2f93e5b37e06cb

      SHA512

      1784eda1018ae685aacd7f1de64c081729e4793ad5d86b2560abfed489597e1e6081f9ab91a7f2beaed84ddf0857665a8e138c268f337234d5fdfdf8c08b2363

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b3134725b7bece9ba25017ae40e31eae

      SHA1

      996c4e42b2e46a76eddd2d9ac1be92d2bcaaf756

      SHA256

      fc8097b06abcca2c7b47ec92d523ce250bce6faf2642e2c547ea36a6de4d10fa

      SHA512

      8ec59873d68f4ccbe96b5a632bbe2797d326d3ef4edd5d234ba82bddc93fb3e8d1466345045d9ff1465f476068857a32d9da7c5287dc8ef341e3a3ca730895af

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d69e13c7a8b86ee564baccc1c95d5ba3

      SHA1

      685e3a54665731c6eb9b3e78069d2899d82d5e47

      SHA256

      3bd11ad08c0f5225d95b731e3a69651a4bd35237baa4f844fdc82e5a57e1bcd0

      SHA512

      39466d79ae35cc885d6da6bd0a71be71357d2958466c32997e7eeddd14f81c3963e06316b236d7bf01fe8f480ff528fc31b11e82f64c975c2144ff73915ac74d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      de5aba6ff54c26a954b1540cce1e0740

      SHA1

      b0acb80a24ecfdf9bd6e177c521b3afda4b0c8cf

      SHA256

      2be537c41715db9d9f21d5e914209bc1fc83cccb2fda78d8924fc073282a747d

      SHA512

      93383929130a694984db8c7248828f03ae9ebef9824d6a499727e2744a9f5c31bd09aa055b2a2743beff92324f5ca20342582efbf4a68ed3a98dc44eb487f011

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab5370.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar546D.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF931C642B45220E82.TMP
      Filesize

      16KB

      MD5

      63f3dd19cb925d2fa24092fcaa09233b

      SHA1

      9b88b94de562ef5e981c57913dc71633aeefed27

      SHA256

      b774f02369b4cf02803dbe97f12ecd3cc1e13225d1bd7443858fd09025a63ef4

      SHA512

      d4a7c8f2122bf87e53b0e0b4bd247cbbdb36419d0adb4e7fda9eadd40fac3434ec3ce78154edf1ecf661cde232ebd48a549dfd574a1a408be6775742be82036a

      Download Submit

    • memory/2508-0-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-7-0x00000000002A0000-0x00000000002A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2508-6-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-2-0x0000000000260000-0x000000000027B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2508-1-0x00000000009F0000-0x0000000000A46000-memory.dmp

      Filesize

      344KB

      Download