Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Resubmissions

27-11-2024 13:29

241127-qrb37svpcv 10

27-11-2024 09:27

241127-le54astrfj 10

Analysis

  • max time kernel
    141s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe

  • Size

    265KB

  • MD5

    048df8f057b4ec78233640a09dd80e9b

  • SHA1

    de16d030b3f5b067e5663eb1d75d2498c00d6817

  • SHA256

    38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890

  • SHA512

    d0cd4ce4c9d930866e269d9f44d44f79d24811d47cc700433c3611a287585b72fdc6d0ab38d07a1c3b76533d5ffd7756248d5ef68b7fe5c5218d631521d5e1b8

  • SSDEEP

    3072:4OUEH7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:B7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m

Score
10/10
gozi3170bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    217161

Extracted

Family

gozi

Botnet

3170

C2

oozoniteco.com

cetalischi.com

duvensteut.com
Attributes
  • build

    217161

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe
    "C:\Users\Admin\AppData\Local\Temp\38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2096
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2944
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:668679 /prefetch:2
      2⤵
        PID:1312
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:900
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2536
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      eac2ec1a76beed340c28eea954fbff7a

      SHA1

      42721b2a5dde71915311f1320e36f81a2a186ed4

      SHA256

      6a18573a237913d1f185951f31a3d9cedf3d7fcb102339f339735ec109d5d7ea

      SHA512

      54991231e3978803552668a4cbb09dc089504a30c16ef1efa28c1995591ef520ccca475e6c7f5d2e9e0865d0a678154c028564003795f91b6fbec6ea1ad63627

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      dca56d87a39c93487a426eff8e7c4600

      SHA1

      69dff7059d3bb1d4e3fde27ed6709814b946952d

      SHA256

      cfa5fc464f9d90540a7b15727b12937a0892702f04d4cb994f8e0548a9294bf3

      SHA512

      85e7cdb07e39d93997fe69217629d805ebf2116638bc06f7e088cf7c7eb5f709c3783e2f0610d979b1901f76c091c8ee572737caddc583bae7b1adcc1fa2e76d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      deeb2da55b2ccd75e9ae9e958f2046f9

      SHA1

      30de989944cd76233761989e22ba4358203dc19f

      SHA256

      e0a4aa6f507abe1be5599e7e945edbaaea85b29f9df48bf10e74ed5986787a49

      SHA512

      8e2fefae7dd8361620f0b7003ae1b52282b7b7a3fb928b92e9a5c75f332fee0aa3fe584645613d9a7cb18a03fce531a147bb29c3f105b263a331d7048663c508

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f6645af222014450d3629c5dc892c7b5

      SHA1

      dc7c568048e8a719f73860e091f770695ee708ad

      SHA256

      96be85ee4d47ca9ea1d7badfdb0be3c4e1e50607b9c72dc4d324f23157821769

      SHA512

      152a09a75081ca06d70f3df1d516c7a4e633a4f01a35b615723693c3a5c223614dad6a98fb3d88b6abcc164de93eeac2c04b6dab4e01230ad14ec74c24e12c09

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      14dad90c57b1ddd6c8331e694c9a3828

      SHA1

      29ee8070c21dcaa30e3c3c7dd62b30b80d7c677e

      SHA256

      c982cb1fdc5f5429b109dd6cbc93e8b4e22781f469f43093680584b8eb8e8ab6

      SHA512

      a49de5b757697229996f10be06ad3145f4c2c6dbac4c0bb1268c96d26eceb6c763384f75b0db8a9294d792301d4e050103596782b55d1feac0e0f9732f093256

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a5e54b1ceb5608f3bcdc972220feaa74

      SHA1

      6ea78302febc0c77cd55bbee09b36827af8b47e7

      SHA256

      25a21452e3bb666cba8ea9b2eb17ae773e488aa3f497084c22172dd9b09ae697

      SHA512

      2973c86e69ba8c3709c76baddbf49526f933f09d358fc05df11671ef176b1713543f8aad07de6cef50c7d993838ee967341e65e17959dc54d9cc131420d03f3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5af97fe7dea85e2a3ef8e4febe65ce2b

      SHA1

      1b0a1b797ae3a5afc48f197b1ec2e175b27e0b29

      SHA256

      0879fc978da9481b59756abb4e160944420fae4ca8f2391290d8d3eca6dca450

      SHA512

      7a25f855c3ab174d9fe50d7ef74e926048cfd2e754c92792bc9620534cfab7dfb37c1cfe9ba84804de8c99bb1083faa2e1702765c27e22bf41be6243cbb4d6d0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      26919f77790b7c5ee94e226eace668a1

      SHA1

      9231274ac89d82766953e64de55d97e4d4c21d63

      SHA256

      786224cceffb1430a09a9482feb1fdb6b5116b052675533e8ce184ca53945039

      SHA512

      e3b23f352c1d18bb7a9d6cbe3dc21e839a0b0af26fc6340a0d36e2b8d56305ce9334abba8e3599658792ea90aa038fd0a421e88e0817c88465435b63d16350f0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f3b64bfdb9b62b37bf092636a9b8c878

      SHA1

      1df8715e21e11888190fe3444a213df7780f58c1

      SHA256

      dd3720181dd525d6c4cb1e3596fe386fb2b2c0bc7563f89127dd6582d49adeda

      SHA512

      3ecccfef2a6de158a8fbc2e8bcd8d272043ab5ea6985dc0ed9bb8891245c9d006db6fa939a28d1d9f7d60021b7641797ed7c56cdb467c21cdea0484275d4d8d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab54A8.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5566.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFEBE6C7826A197152.TMP
      Filesize

      16KB

      MD5

      24c35414889882e2d08dd925cadfe5ce

      SHA1

      048080b4f8f1c888443e34e9f0039da703e59948

      SHA256

      bf67a4555e79aaab55a0864113bf205990f986ba83c25ff944d40edae39bb506

      SHA512

      7dab8c8c04df718bd8f9eaaf7c78628b231918a2b6e93278b5a97dbc288fe4c828a6f96613341bc68f7cd6f77ceb437e8d9a194a45d6b6896fd3b366198cad34

      Download Submit

    • memory/2096-0-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2096-7-0x00000000002A0000-0x00000000002A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2096-6-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2096-2-0x0000000000260000-0x000000000027B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2096-1-0x0000000000940000-0x0000000000996000-memory.dmp

      Filesize

      344KB

      Download