Overview

overview

10

Static

static

3

9095.dll

windows7-x64

10

9095.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9095.dll

  • Size

    1.5MB

  • MD5

    a7408cf2d8a68c9d621f04510d013c25

  • SHA1

    06710b16a700b2f86ec7b77204b7d132a83a34f0

  • SHA256

    67ca5cc17611a5292c116f492af8a96caebbe3539e3744daaa1f1c1a5cf72d05

  • SHA512

    04fc31d8fab45ec43490c1391e06a84e6f8e734ba6c80833351026ae9cf1420a92718875fd55b963d9b5a83b695f962fec6398991409d45f0dbc83e6f0b491d8

  • SSDEEP

    6144:C/mh48sQe3KipXDjA5d86CT9p2mxKvQCPRub+:9mVQmoEL1uQ9q

Score
10/10
gozi9095bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

9095

C2

http://google.mail.com

http://392184281.com

http://592182812.com

https://392184281.com

https://592182812.com
Attributes
  • base_path

    /glik/

  • build

    250218

  • dga_season

    10

  • exe_type

    loader

  • extension

    .lwe

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9095.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\9095.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3132-0-0x0000000010023000-0x0000000010025000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3132-1-0x0000000010000000-0x00000000101C4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3132-2-0x00000000030F0000-0x0000000003100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3132-5-0x0000000010023000-0x0000000010025000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3132-7-0x0000000010000000-0x00000000101C4000-memory.dmp

    Filesize

    1.8MB

    Download