Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0811cf7c27...de.exe

windows10-2004-x64

9

0dd0b31f05...24.exe

windows7-x64

7

0dd0b31f05...24.exe

windows10-2004-x64

7

1ad888606f...e0.exe

windows7-x64

3

1ad888606f...e0.exe

windows10-2004-x64

3

1c77a07e45...95.exe

windows7-x64

10

1c77a07e45...95.exe

windows10-2004-x64

10

23f1c183af...bc.exe

windows7-x64

10

23f1c183af...bc.exe

windows10-2004-x64

10

38e891599d...90.exe

windows7-x64

10

38e891599d...90.exe

windows10-2004-x64

10

3a13e092e9...db.exe

windows7-x64

4

3a13e092e9...db.exe

windows10-2004-x64

4

3b9dabd99d...82.exe

windows7-x64

3

3b9dabd99d...82.exe

windows10-2004-x64

3

58fe9776f3...06.exe

windows7-x64

10

58fe9776f3...06.exe

windows10-2004-x64

10

5ab93bd422...11.exe

windows7-x64

3

5ab93bd422...11.exe

windows10-2004-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6b06c25fc6...43.exe

windows10-2004-x64

10

6cc8001c9b...07.exe

windows7-x64

1

6cc8001c9b...07.exe

windows10-2004-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

73ca5dd6d4...3f.exe

windows10-2004-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7b931d48ea...f0.exe

windows10-2004-x64

10

7d6892645b...0f.exe

windows7-x64

10

7d6892645b...0f.exe

windows10-2004-x64

10

9036aeb570...7e.exe

windows7-x64

3

9036aeb570...7e.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe

  • Size

    265KB

  • MD5

    048df8f057b4ec78233640a09dd80e9b

  • SHA1

    de16d030b3f5b067e5663eb1d75d2498c00d6817

  • SHA256

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890

  • SHA512

    d0cd4ce4c9d930866e269d9f44d44f79d24811d47cc700433c3611a287585b72fdc6d0ab38d07a1c3b76533d5ffd7756248d5ef68b7fe5c5218d631521d5e1b8

  • SSDEEP

    3072:4OUEH7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:B7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m

Score
10/10
gozi3170bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217161

Extracted

Family

gozi

Botnet

3170

C2

oozoniteco.com

cetalischi.com

duvensteut.com
Attributes
  • build

    217161

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe
    "C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2700
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2628
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275469 /prefetch:2
      2⤵
        PID:1948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2484
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2772
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8e8d76bc5bd9095b6e81b3e8927e59ab

      SHA1

      a75859496a7f092f33c1a3216f5820175754cc45

      SHA256

      43a858fcdc8fd1996991138535d73c980a65c4df717412cf0d2e727eef515fb2

      SHA512

      3332aa0baafc203ef6eaf5d3c4159c5269ad25232427961d0673218d5c9d6f35a3ab6ba3b924d398d464f4fdc7f6aaf02aaf32a0f56a46e53e63ce7ec7c36c04

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4cfa4eb3063076a15f5fd9f5a397ba64

      SHA1

      678e8aba118c504e57db65c5d5d16055133864da

      SHA256

      01fff70b1933d03b47d46b5fb8a2f1cdb0c9be39ce6c187c66cfec5514ef7350

      SHA512

      7d0fc7609776c71bae503f6cbce2f4aeae502b611804d5fe8433ad15ec6744a2986fceeebcbcdfd3bb5b976ab6b9bde931ac94fddd96c567ef3181dd1ac67e3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9b3722fc27e1b54ab3f2d71ced9270ae

      SHA1

      78c5e93e0225cb8f3148696241c859172abdb6f2

      SHA256

      b737f8d410ad1bce2be337a45cae531a0d77516889711881c69f3fcf94f7e21b

      SHA512

      d458d0ec322eac1a224f54ac7e66f1796f6bd462e4955871f6f54c06b4d3877581382d4dbdd8da0fa5d219bc99f78985b214223f95184b12e5d3fcdadde26846

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      73273ee1cd249814f424e3c2afabf0cf

      SHA1

      a6d6c51fad9384576f79a42c5a23841663bc160f

      SHA256

      f8360dacd4db61dfbc2585fb20094e16a99bcc16efa0e6a96e167a9ac6c20b4b

      SHA512

      80afa57ccae2979cf8b7162343588c7cc1faa49cba602184174d9741cd4ccfe3e090f0a3a1567a80711e6d1db5d3aeb6e15611e92e80614e51e384bcfbc470f1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      95abf397f32e3928649027e3d5154fc3

      SHA1

      18ada0cc5ddcba0d748f127927c40b2e920af5f9

      SHA256

      1d777469c28657b57e2e8032206a247b1778fe3258a2053a75f13698f66a806c

      SHA512

      9ce71a891bbb1e6c602a81769ac8b50858341773dcb54bb4813172f12ba8b5657728b0b5dd7a69ae5beabf8d395be8812d9ab4b104bbee14fd0f1c74e4b0b812

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e6c109a13e4ca57e6813000bb34eb3ad

      SHA1

      aced851aadca723980ed2b25d1c6db04a9f9bf21

      SHA256

      36575a5598beb963676a923e5a0a9346536cc5368ce6fc391ea5b5ff6c8ff2ba

      SHA512

      f25089184e40a5423d6b5223892909ae70655f85dc0962c0da2976e305940f4310710564f6a15819b29d819202dcfa66b52400eed9cbf555816c52d4142659cc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      128433f18b930ec4383a5846c9d268e4

      SHA1

      98334c3bae561dc633c1b23698974a0b45de34a1

      SHA256

      1ddf4942408141952e89511d49373fab2a5d5837ba358d3de0cddde4ca9edd11

      SHA512

      38edf5006ec02fd81ed5018048f0e8fbb2ef5ede940ebc1405e7e0f01cc496998d5758fa7878600965ed08194c9301e4106da4798a156974b8cc18a2722d74c4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ba58dec4ae75444e68a23a8848729b44

      SHA1

      3f164750f20742810bd8dfeb42f9975c348be721

      SHA256

      b50885d555a400c0ca8a719758085a66e330c35ba785ab6b8bff62a9895334fe

      SHA512

      b55d92d7274d53c8ad58d6d8b674f068dc3dd2186b6640359d3fd06282960130deb0ac1608eed649fd3e642c850e8dcc51de8765dbd743ceba3609f64c3b28ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bd0ea38f8cca6b08bc2dc2a52cab3aab

      SHA1

      82287837a4022511622121c1741a1c34ca097510

      SHA256

      a912fd2182179cf7aa7ad4df11a584d2415f763f2fdcb2cc636fdbc6d8785612

      SHA512

      79a64c6f5c219d8bd930a9f51740890cebd9692448240c58fcd2641f47f1df091e870b56422c2ef865a735b59fb569dac6b97436dfed05c3144955f70cc218b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabEE19.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarEE7A.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFCDF5839045FD9A87.TMP
      Filesize

      16KB

      MD5

      d53f1d66507645b143976c7669bf263a

      SHA1

      7134eb33010b2310841f8624c8908eb62c5ee118

      SHA256

      d7b816ab830cff7531eedab5e92d759d8984b6962147e878eeb7a2b8810a2264

      SHA512

      1f7aca3a15aa7aada6894a4aba65f72fc22b602bb032ac2d94ee07e41c2ae76d3908a1948fdaefe80d84cd5cfd208fdf18233817261446e1b7493fdfe53b16fa

      Download Submit

    • memory/2700-0-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2700-7-0x0000000000170000-0x0000000000172000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2700-6-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2700-2-0x0000000000140000-0x000000000015B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2700-1-0x0000000001340000-0x0000000001396000-memory.dmp

      Filesize

      344KB

      Download