Overview

overview

10

Static

static

3

0331e91d94...cN.exe

windows7-x64

10

0331e91d94...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0331e91d94af0b232824f1bc5d5df8a0685530ac7dc5e63190222ae201b4c7ccN.exe

  • Size

    304KB

  • MD5

    dc30ca6dc689b086b53b1b0758d53f40

  • SHA1

    634a3757d3e9a00c3484537c8335ebffcdf942a8

  • SHA256

    0331e91d94af0b232824f1bc5d5df8a0685530ac7dc5e63190222ae201b4c7cc

  • SHA512

    68eaf041cc0584c1226ca3a69753056577fe438778d677ea09c608bd77be71b31f9b16164dec804f23c7687dba960f6c069e7cccf890d5f06973a273723476fc

  • SSDEEP

    6144:u/806jJmAnCyoHOlq/QMA5pzJhgFOAAnMCUm1t79NSuxD:u/806jJmQ6Dkfhcs7h

Score
10/10
gozi3364bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214082

Extracted

Family

gozi

Botnet

3364

C2

cio12y21e99.top

pp70guy53kevin.top

pjr82milford.xyz
Attributes
  • build

    214082

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0331e91d94af0b232824f1bc5d5df8a0685530ac7dc5e63190222ae201b4c7ccN.exe
    "C:\Users\Admin\AppData\Local\Temp\0331e91d94af0b232824f1bc5d5df8a0685530ac7dc5e63190222ae201b4c7ccN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2688
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2528
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:406541 /prefetch:2
      2⤵
        PID:2472
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2892
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1712
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:632
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2
        2⤵
          PID:2252

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        511829d6ca2a767e2d9ece371614a181

        SHA1

        bf9139f08f8ad0149b7428f7f6406ed1e4dba686

        SHA256

        45ab66040a0648d7ccfcfd717ea7e27e95b131777171dd6c83002b9e52c86068

        SHA512

        d9e19fe37795a3b885609b49043fe5755bb89523c9779dfe0c15a166afe99fb19c373ee1359af2acad1dc0354ab20b49ed5ce69a60667c126f7e04ac4bb2a2a4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        98159babdf21a9a6b52f6f75489e25fe

        SHA1

        0e0ac8de0bf5743889cc88adca0d7a26f9a3573b

        SHA256

        6a2f889a34a8f5b769d4c327efdd168f4890d9ce9d686f41e200198e954ec6fe

        SHA512

        dc65dc02fd6c0ce84c6bcde5a8dbd062e2470270219f1d7d7df7bfa9675efac7744eada9d812bfa70bbf53b8242934e032855968917560972f3f6449b2815806

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        67fe7eeacb4894970a0fd2dafb9b7c15

        SHA1

        62f7c278fa3a508d7f9364dffc8883914d27e12d

        SHA256

        1eedb346336593c1ab696bd3091e1e46f6301416372c3a659f4c851dfecd030e

        SHA512

        c76ca4dec4ac3fa9bb2e6ddafec357e712592039cef1e06fb68444957e4f6b5b041dfa12283fe82b5da419a655127a751ee18b95425fbfc2539d84998a2803e5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8c93b429fb8ec9dbcdcffc88fb1369a7

        SHA1

        16a041635ea7ce95d9653774ba4a2850885ccecc

        SHA256

        68088331fcaae0fba0d9768c06ecfcdbee9c0f0f1f191bddab169b38be62e751

        SHA512

        72a60a997a669ce391237064a258c8c0abf105f775faf9964149e83a607c54f414fe7dbb0d778854f23d1319edffe16273078cbb621862a4924601fa39b77f3b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        bcd03c75e5a018a0c768e86071f210f7

        SHA1

        60f7ffc94f6a562ac9c489bf61989ff3b66a2b75

        SHA256

        6959365866c5403c7ca9d246194b0ab043bc63fa032391c46e498c6a6ae8cd5b

        SHA512

        c93224ccd00003583eebad9d6cc5d8ce47312fb8b375e3aca0d0ebf79dcd6a6bf70534cb4e59ceab1319c84809155c3a014c0a3a8ff21c72b5639c5f2f201e9d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        02f47be9eaf620ae7e7bc203488b001f

        SHA1

        024cb5042172e287417ed4fb7bfd2231e408faae

        SHA256

        4f0e986f1636855eb8a85464bebf6ad524a89b5ddfca032bd2cb4b24196f0937

        SHA512

        11ecfda78b12f01a4da0b475e9da620fa5056367b1bdce5d50258e47b7d2abc2bbadb09fbc450ddc9edbc8fc44597ba6eddda752dc70f5ec8f0a27690c7a339b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        2f2af522288d18b0031fa6a437ff2a37

        SHA1

        5b42bf0821f87fb2508d16eadfce16113ecc72db

        SHA256

        0f707eef48d9b4bed4c678c8b609248bebe792e8a5b30e6c62f5dbfa8c342d5d

        SHA512

        319bad5905b7bfb697a7ebeae5453c8b2e25dc847a3dabbb6bbecc79c4431210a6b648af930993c340851d03e1111831757c5af94d5166cdc9fc15a26bed89a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        ac45f807bddcc769db201b164212e55d

        SHA1

        99a37b7310ca6d8b1ed06657c9a55cb724a4b7ba

        SHA256

        4a056601b38a2f4a4a60cc44ddc74af711968b99ee07ea5cfd981da74e56d8eb

        SHA512

        44e7511cc6635e0fd3fcf892be6b712073e355b43ed960c01921e49164da988dbd6801814085519a4be3434436a4873bf3b6d5af155c9e370ddab0f51c786938

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        640f8f312bcc427c355f753592ba811f

        SHA1

        73f44df462e6c3689b3630918ae1a665d44557be

        SHA256

        c3c1f48274d7ef0d20fb9ccb0d3e45695891afb34689c47efa6961e2534c756f

        SHA512

        eb96f36f00f71a80b6efb43eb31d5e68514f140e80abff321544313ed311458ebf68730d6b803eb4aa09b95ce3257e70814489aff0cdfb733b5bf773ed7396ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab879A.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar880A.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~DF71DC562D49147D03.TMP
        Filesize

        16KB

        MD5

        d46bc659261058a08e9aac7724cc0e6b

        SHA1

        6f5f28cd872c0823dcc414946d04a192add57b63

        SHA256

        47dfab8630a20e4057e4e424a1ce1958e20630439113fcc775bfb563eb49f12e

        SHA512

        dfcfaeac6ee1db26b125e7942cbf5774d9320ea0827690f6f76111c0e58e476c1d81be10846a3bcc728d47a79ceb8fd98cc2a29c0255a6705d2667d4727c91f7

        Download Submit

      • memory/2688-1-0x0000000000200000-0x000000000025A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2688-12-0x0000000000150000-0x0000000000152000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2688-11-0x0000000000200000-0x000000000025A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2688-4-0x00000000000A0000-0x00000000000AF000-memory.dmp

        Filesize

        60KB

        Download

      • memory/2688-0-0x0000000000200000-0x000000000025A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2688-2-0x0000000000219000-0x000000000021E000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2688-3-0x0000000000200000-0x000000000025A000-memory.dmp

        Filesize

        360KB

        Download