Overview

overview

10

Static

static

3

af01d12df0...77.exe

windows7-x64

10

af01d12df0...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe

  • Size

    293KB

  • MD5

    8c79a57ed866e5382f054567bb4dcd6a

  • SHA1

    a3418e0724691c5d103238004f8ed546d560e5c4

  • SHA256

    af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77

  • SHA512

    49eb95f1748854a3dc846f35df02ed2dbff64b29732bd248f91bbb693256ad3ff9eb5a41b07eca789982392152ff6535a0e33f06646683eb8c182f77191d4c80

  • SSDEEP

    6144:1lJBbCGiQedkMGM37T2iG+wBvAKLVqbNqb2:zbDidyMGs7w+w5jLVqZ

Score
10/10
gozi7621bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7621

C2

forumlines.top

linkspremium.ru

premiumlists.ru
Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe
    "C:\Users\Admin\AppData\Local\Temp\af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2212
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2752
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:209934 /prefetch:2
      2⤵
        PID:2232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:328
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1832
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7149af491aca24244b79ef3342c8bb00

      SHA1

      a222ef90e28be3243bcb37cd0f61a20a26caa08d

      SHA256

      64c7544388d33a3a99c19a8e3f869dcc4ca4249bbe255b4100301e1b5530ce8a

      SHA512

      179d84f2db1fd4adfa24fd924a2ae4245f2153cfadaff1cd162e454f8713bc943137ece8361396c7c84c78d870e9817a82b3ec72c07e86a0cbebe1b756102a3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      60eced3d583e2bacef7511b77e550d06

      SHA1

      0920ae6286781f5bdc827c17d5e95ad21f2bd488

      SHA256

      248bbde83602a33cc0b603d1e87335fefa8ea83e8b30ea816a6ba807439e26bd

      SHA512

      56f0f55b8d95e781410d9e33e677f29986aa3f9652fd3f60d70868a2f18b51cd94e38a2aae636f269276d64af5c74c8d8aaf4d68a5e5ce7dd3fba2f056a8943b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      44188d6be88d857716a5c2913363a0d8

      SHA1

      72fc20e39afa5fa90f0ebdbf85c75a1634fb8dd0

      SHA256

      6aaeae1706b60e5aae06fbeb0fcd8ffb5057a70d9c538e760f785575cd5c789d

      SHA512

      1153d875a8e8fa257875708b35fa24614a7c709e743091a9024c865e03049a952ad926b9ca9536ed9dd94f7b4dff73953269e344d08db5cdd3ad252420343b14

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      782dd3da1ac1f79102d23a25fc451cd9

      SHA1

      354304eb938732460ad1ddab35d69ffa69273816

      SHA256

      6eea9022d5e95754d5de835eab8bbf0a2c49406d0d1b50665bcbe3652d03b8fe

      SHA512

      4ea2343573a7b9a0b6bf0718e621814f6cfdd841c46329c89882c4c74f10f5054ae4a0a693f51847e478eae810e0d6b3b0af48ea3452097876c7d604ee10aa7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab511D.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar51ED.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFC537CC4498FD67DE.TMP
      Filesize

      16KB

      MD5

      10dc63204fb4fe328288d69e95ebec1b

      SHA1

      16ce1ee3718f84cd18a814ac0aa57874af1db0cd

      SHA256

      1e7af95f801b68696f675e6db9e29d002dd17b21a274350ca16bff6c612cedd4

      SHA512

      6cc9a489e45fc78598f2247f4e87e415e5f7d51d474354197b868b8cabb2cf4bb2e744d072fc350a463034d76051412367b82bd96033c93bc553304658053009

      Download Submit

    • memory/2212-4-0x00000000003D0000-0x00000000003DD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2212-16-0x0000000000400000-0x00000000004EE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2212-15-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2212-14-0x0000000000930000-0x0000000000A30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2212-7-0x00000000007A0000-0x00000000007A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2212-1-0x0000000000930000-0x0000000000A30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2212-3-0x0000000000400000-0x00000000004EE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2212-2-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download