Overview

overview

10

Static

static

3

opzi0n1[1].dll

windows7-x64

10

opzi0n1[1].dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    opzi0n1[1].dll

  • Size

    164KB

  • MD5

    8e1c8cff8610e8932d766ab3008af305

  • SHA1

    ed105378c222691e40c4a15d09b51c83df4d4134

  • SHA256

    e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011

  • SHA512

    83a975be8f5435c59750179f6c642bc819fb0573267162998d2922594a57c657df2c44b0061a4c45334c6b9faf179a279c3f944aa2ad4a0980feb2bd9ac797cf

  • SSDEEP

    3072:lMZhiVcGQDgf+OJ/zdQAYKjxLFL8615go9SfNJ7Mt9vQ90Z:+ZhiVcGB+O7QnqL861+zyBQ90

Score
10/10
gozi7238bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

7238

C2

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

blogicstatus.com
Attributes
  • build

    250162

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\opzi0n1[1].dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\opzi0n1[1].dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:804
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:568
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275474 /prefetch:2
      2⤵
        PID:2188
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1704
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2540
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa0ccc5750e312f02dd3ea0276a9a613

      SHA1

      0c63975f4881487c0d5013c9ee6d8b98d7c0ab32

      SHA256

      e2ec7771039218618640ca2505cfabefdab6cde823bbb2e0a36d1ff7a2efd99c

      SHA512

      68960dd87656342e01bb6825f19f050546fd0538ce61983937ad0b99cce9ffe3e1bbaf979e2456f22c76e7f8a9385759ab56e7cf3ff5e13b3eb5f7a7087d813f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      041244df43b10b52a9c5b997ad224e64

      SHA1

      1441521bd2f5327d4dd215568f5001b53e85e6c3

      SHA256

      6e8930356c866da397b745bedfdaa8f999a8b1f32d29b2fc4f46fe84fc9f87f3

      SHA512

      a6b2bb13c166c0b716da6b18d77ad087d9b06daa93263f7ce6f294a4c4d485b03817595cccfe101d0080e420c5a666ae2945c7202386a80116ea6e10d34fff24

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4df9537e5de296e06e46bb3b71baa771

      SHA1

      c4a31e6edce0a23620899778e4bb099a401221ad

      SHA256

      64981f911c347c97225cda26b53cdf57757ef342090523309a8acca93018726e

      SHA512

      b3741ef49d42a71badbe9479ca38134f3c9b6486a2dff1b1eac3670b4f20f37fcde2d4e8130e15d36bf972d577839b51173deb59ec01f0513c38ca8cf6c216ef

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d15ddc3aa722b4a1c84dc7bf3a91fc52

      SHA1

      22fd2f2daef6f4d78b893ba19318c233948faa51

      SHA256

      1c207fdc8cd6aa7127ebc130fe5c803184b3174b7cbf2b25380a93f417ca7734

      SHA512

      19f677c81aba92afa05c40a7218f5e43376a08e91ffe1c7735c67d546d2409a833b4e27e7624a22f3ffbc3c8e171ce7c648c66040143142780b9069d15384c63

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      19ccee63a374cc135e8bdf7a1220cb3e

      SHA1

      c97f4675865a3760361f05498f5a23f0df785621

      SHA256

      c384f22296b36df78126023d05fd193b05db4eb955b7e85fea37814c44b4957f

      SHA512

      41aaa385e8bbc46669af3efddf6c0f1f083d37cc7ad3595fd7633e075b5d096633b6a696b35fae9eb13c5066a863fa2a43a707a1754bbccd592abd71de9f95b0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3852453b06dbffbc112e281636853c0c

      SHA1

      129eab60e78d19ae74ad66caca082f2db8b5e0f7

      SHA256

      67519e105fd54773ddc6cf5494f1094435d0f8fdcedd70a5ae010d4ecb963c36

      SHA512

      943006e3cde46508111b29a340198752696b836d92b4a4ba5f6725a30bcba9a6e122a81f5f64f56d7453643ceb625a386043a73df9e32d1b049090d080115e72

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0f7880e9dc96887808306ab6feb1d65d

      SHA1

      ca06200447a6dfa4c2eefa1264279cfec12dd894

      SHA256

      d83dbc3e229860f62c870aee6d5d2d07e0b950d34aee82e4c0dd68c99889bcb8

      SHA512

      da91e6ced2270847a15ce0a0913ced9cfc1e6da467e50ae0423acc6a2a698cea0fe5558ea91cea72ca65321fad820462b3ca01535842d9554236c74330eb8b3a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      dd11e5f1b7104c63f3f16382f5cf4506

      SHA1

      eeb3c278b87ddfd671573a4b394ddf0ac6a32e4d

      SHA256

      2c549b85c000cabfead223ee4ca460b4c0915328fe1748baedfcc6cd35e262b8

      SHA512

      a8da7adf48b7dc6ebf50a65418e358139b9cf43e207dbe745f78366d114bb32324d927d4ff7918bc38d7b3459b5e7f97a24a46546dac570637b2aa06659a98a7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      367ae557160b72d2e89140d44bcb6e85

      SHA1

      f9ab4cd945ded734e6ae567182c7d1ba3ba814bb

      SHA256

      f7b8673cf4d64126d6b9b5931f524b0b2da41a117ecb11961b506399777a9406

      SHA512

      e85522f85535aedac871838fb6b208cf7a49ad1435d755a182dee354e0c8cb65512799f5a632f18a2e18c5013761b27f91aa10f634778c508d602300c56dcf21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabC9C7.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarCA95.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF50C3F276767019DF.TMP
      Filesize

      16KB

      MD5

      d0ae3d24d6940ba5f0866c2d699925f8

      SHA1

      2b6880c503e2588fdb78bdb2e326f7cf06aa0d78

      SHA256

      321fbc58c8c373a2bf850c8aa8a6ea05cee8f1f5814942ddbef979a22d95df06

      SHA512

      1e0d0db196af4a3b2c91ac7527b1e43ee910bf71db2494b340f15316c8f2174f254b0f293772f2658b83e8d1911db50b2ad7c6163f22623fdd0c90d14ce52e8c

      Download Submit

    • memory/804-0-0x0000000000191000-0x000000000019C000-memory.dmp

      Filesize

      44KB

      Download

    • memory/804-12-0x0000000000191000-0x000000000019C000-memory.dmp

      Filesize

      44KB

      Download

    • memory/804-11-0x0000000000190000-0x00000000001C0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/804-4-0x0000000001E20000-0x0000000001E22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/804-1-0x0000000000990000-0x00000000009A0000-memory.dmp

      Filesize

      64KB

      Download