Overview

overview

10

Static

static

3

2024-12-19...ia.exe

windows7-x64

10

2024-12-19...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-19_483ad2c6fe1798d8bbb770eb0d78f28c_mafia.exe

  • Size

    1.7MB

  • MD5

    483ad2c6fe1798d8bbb770eb0d78f28c

  • SHA1

    b3b35791a302e1cff4ced4d5c74e0feb3eb8cc75

  • SHA256

    04adbf662609cb23bc2755d7722b1c5744bb584f2ad5a88bb6765f4a463b5e74

  • SHA512

    48e280525b1fe4415c00d853e5bc4897d311b17cba0cc693f9db13512cc70a8d5ee7ec03bff3a81b1eb5c436ea03994ffa1d0cec64102368c9f22ad0dafade63

  • SSDEEP

    49152:NInYk6iqhMlTavrBrvw4Ybgch5OHLY97E4szBydQZp4DEFIWegU6:eYThMwv904YbHh5OHLY97E4MTZpcEFIB

Score
10/10
gozi3334bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

3334

C2

rueu5334.info

vuypto28.club

ga6jhf.info
Attributes
  • build

    214080

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-19_483ad2c6fe1798d8bbb770eb0d78f28c_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-19_483ad2c6fe1798d8bbb770eb0d78f28c_mafia.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2512
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2860
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:668677 /prefetch:2
      2⤵
        PID:1204
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:856
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2108
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f1ed1f525bbd2cf5c729f20de8740ec2

      SHA1

      bfa37b3e675ee6b9f89d85689c6f88d8ba1c305a

      SHA256

      7ddab146c284f8b7e305ffa3798ed7b1a99f74a2cb7e697c6449e5903a74d3c2

      SHA512

      cdf54d68ea5ca0426c29db3048f495d1420e8db465756de9f76601190377380c0f2c525d5411ecadc678f40301f9c77cb1f31ca7e9fa56b94fed5357e4dfbad6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      91d2cddd6e5f2a7061ca0e92404cc0a4

      SHA1

      308723f350ff91a131b45b56aa62c635a524a53b

      SHA256

      ed859910a8009c0074705558885e836c6c0fd005812fe76b9e98b81012d544e8

      SHA512

      7c5a09c54b510a854c1f02d3e7099503bea691e6a346125f9b648d9b393e5be938b861f9754b23480246c191b79cd5d982edb8d9afb9f653a12ae5b3f5c076d9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b701734def38215709923430b9b192e4

      SHA1

      90a3eaef77a2ede17eeb6d9d9cfd281b945b58f1

      SHA256

      95d127e37b0af1d7585b249fff39809cc8642b2f4b5eeec06da43f8ccd766e04

      SHA512

      984a94a38864a85e29efe9c373444c7f2d55880547e8b62463a3f52498353a9df7c8d42b60b6f0e520f55b8bd3dbd000434cc6ea8a5acebe2661a7510e577ba7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1c591292f818e1042300ffc52d00e998

      SHA1

      c030ea7327520a716fab53e47c82489e257484a1

      SHA256

      719f162433b7cc5a4ed54f1458fd81f70d48122741446f326d924c5c7af83d9f

      SHA512

      76d80c37733c6f3e95307a2e9be4af3dc0bcd9eb36395e96e8a7c65768fcf56f543efc27f7c4181a8e84ef8bb51134dd85eddaa6521aed034f8cfa62cc3aeaf4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8695d7c7eedcffdd53e006a6c84ecc5f

      SHA1

      74b9c2353c0e42972476f185d574530abbaf607d

      SHA256

      baec2445e22321d09600b5a3fd02aae0e2dccafad04dc3c56bcfef0e83606889

      SHA512

      fc5364aa31d4e4b3e0097944dbd885ca63ca05aaeb65312bdcde2788978e7afaceaa3c67f9a6a3166b5f02743d3d16ddbffe21d7a066286aab62fde062beb064

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3c32b12750505b461e7977a20b87374b

      SHA1

      21e471972476919e0999064e46eae97faa7d7990

      SHA256

      a05f583676d095dd04dfbc5fe3741cf4bc79d6618d4518a5dfe94c89ece4b422

      SHA512

      022cea126838dbfc94a9f985cf8118fd36364e2b1aaf78b37608db0575f6e0c723cbc70d35d94d749ea2711859fb789e195704e7ebe739bfa5025d6a13f6fbeb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      23458a1cba83340779b8593f071f8448

      SHA1

      7a9fcf1ee78565245eebee08fdf9eb16fa03890a

      SHA256

      086cb1dd92d4bcf2b7210a72a60d9fe3762750eb4c57d254d0d4ed3ab2156411

      SHA512

      72614c1d4684e76c0afaf461188aeb78c57c25e505b09581c091fff93f2704ae3aeb7747460840ee55ded6752cdf785b054d5bc8dd8389e6fea8be79bd6086c2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2c97aed73ef2314344f9d56d41f85f7b

      SHA1

      4109d5e9c19303266fc7738c32a58408b6e69873

      SHA256

      2dba879e342eb4566e7db3032b74127248ea29f342159abebce16bdc1965d51d

      SHA512

      6c88780c3f013f71c321fb5bbfd9ba50603d73b063864f33fe371c42b7f8106175239fa8e78e138b9a4f5414748fa9a8ae06dc39afc49064257e2e930fc881c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cc42ed657c4ada475a802cf5549de623

      SHA1

      d9915c3606296ad017ad0c9b8f62fc55c0c8b185

      SHA256

      e234dbd6ddc0ff8614283c953e6e87996a5fdbe4fbfa74b9b816be4bc39b6e1e

      SHA512

      e3404300558c3320ef2a9c33a9267d1c9693dbc7c62742674558ee8f7eb39095e32e4d7e244dd618e0b3ccba2a570ff7dd9e1e66126308a41dec141c1dffe153

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab563E.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar56FC.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFBC400A96288CE189.TMP
      Filesize

      16KB

      MD5

      d8f648204dea176d2eee762d31748b80

      SHA1

      73fddbcef458bcf5031ebc0de5425901827266f5

      SHA256

      e538239002e04e52b5182aa0809898a01125bd3b3ca9eee676f63e9a1cfc17b6

      SHA512

      ec1892c840d80164e67f028a935538f29063f67fa97d6450c23e99ef28c83089aff2f5cab26b6b9d8f33b03e030acc7e94eedb2d4a6dc607ba5015d3a0aa6a05

      Download Submit

    • memory/2512-0-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2512-7-0x0000000000430000-0x0000000000432000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2512-6-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2512-2-0x0000000000300000-0x000000000031D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/2512-1-0x0000000001360000-0x000000000151B000-memory.dmp

      Filesize

      1.7MB

      Download