Overview

overview

10

Static

static

3

af01d12df0...77.exe

windows7-x64

10

af01d12df0...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe

  • Size

    293KB

  • MD5

    8c79a57ed866e5382f054567bb4dcd6a

  • SHA1

    a3418e0724691c5d103238004f8ed546d560e5c4

  • SHA256

    af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77

  • SHA512

    49eb95f1748854a3dc846f35df02ed2dbff64b29732bd248f91bbb693256ad3ff9eb5a41b07eca789982392152ff6535a0e33f06646683eb8c182f77191d4c80

  • SSDEEP

    6144:1lJBbCGiQedkMGM37T2iG+wBvAKLVqbNqb2:zbDidyMGs7w+w5jLVqZ

Score
10/10
gozi7621bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7621

C2

forumlines.top

linkspremium.ru

premiumlists.ru
Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe
    "C:\Users\Admin\AppData\Local\Temp\af01d12df06f34e81f3772a1b661eef4f9086a73d953ea1c92a8408c4efa2e77.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2408
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2368
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:734213 /prefetch:2
      2⤵
        PID:1552
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:552
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c32cb06dcacd7ba91567f54fd49a6fd3

      SHA1

      a453e7233619cada29c381dc5a45bdea33a3ff30

      SHA256

      dae49d32fe27dd418462b99d3cbc40c7f0d0ae0bf6d4c765e0f3e94ecf9b5805

      SHA512

      d7e07cc3ab430b7fdc46d9d51db23c3099d5470af66de70bad50111a928185cb8721b8cfc3d38086a408ee1f2fdb28b70b7386306566b63c32c683e50f472e04

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d78eb82c63ace00c4cb682faca369908

      SHA1

      d87cd17a89cdc31ea00e4426c03dfc1fbe956055

      SHA256

      a470c30333a8c9cf1fefe052bb08e05abe8e8b953243e24ab0e867e55e9ba618

      SHA512

      3b20f8fd37813e93adf7ffdd9badef8fb55c9055401ebb6a750294788e52a9ad0d7a81a0e89fce20432986088d06a2c71f1a8de959f6c7e91fc1b2522b7a0ed8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e616e6a87ddce51074a74a5e0c11f259

      SHA1

      357f7601246e58d7a58f5ce5930a69e3b31303ed

      SHA256

      c4bb69619e8ecd79b44c4c4e14d2063bf16a9662f3dda66a62f27af79c017e3a

      SHA512

      124579ac442e721a72fa79bd5dd3f3c840e694e6cd6a3b8c8eb154b95b68c5eeb955bdf4a2900b17a38a8ee0bab1be426bb4f7e97b352e069b89bc468155a6ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7e760f37a0978751707b325bc79b95a7

      SHA1

      c4437da9b5c1166f36e457a7fb52286bf1a66a4c

      SHA256

      275151751b858b7c4fd0a4282502546bafe4fcbbe3c8a47445fe2d0e98833084

      SHA512

      18148811fc1b285803c9fa355e3bd92de22618584b08c11adde7210f63f9d482b4ce8f971c94797fdea3ab62344a66d894086ce4f8076d9d5182c12a2ab942af

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bbc188c0df6c50c8618d99bd8d898dde

      SHA1

      f3313c8592eb7048f06e58871d150972fcfe41b4

      SHA256

      44caaadc488a610719b5448cabb02bb6fb45ef211494c5c902ab8c90b49b26f7

      SHA512

      e28cdbdb4670ce40ef09841ab4b5cec831c7fdd3abc946a3288ec6b85051e3740fce4fa917b08046c492d8fa48d399984453c54302ad6736aa7031a18b5ecabd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      47920f118493e0d82122113ba93c6937

      SHA1

      bb1b11328277f9c8303d73537e8ff0f24b439287

      SHA256

      fce3d3ccadc4f8a1a1950a1c7487bd57c8be9d6c1e1888d538e91f0538b40b6e

      SHA512

      54d95058043166b59411c9fbf51973f81810b52027371590bda40814e1231b89ed4e48d23d83f7e9abbd93387da16e9b2c1e17179688fdbf059e8b0ba00a4cbb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      551cc845410479694f77718d07d32ba8

      SHA1

      4303cf4a627124639c236350bda519ecd1be2866

      SHA256

      b5dc34e2b5d5d0de3763feb50c81af8394b3e1e5aae1b5950d3bea1803fd993a

      SHA512

      1fe8a273768369e058589464f85bed306a0f766f2696bad248f6cc9c4c6e477bef2658e4b5b17b95034e89cc245476d9bd2089a01a043c74e9362c6558f39991

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabF54A.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarF608.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFE258E02935EC7D2B.TMP
      Filesize

      16KB

      MD5

      5d04409017a9295b2ddfe3c00ed28b1a

      SHA1

      7474b90260ed6b936f25fe7f8467d9192f8f8512

      SHA256

      69aa6ab834993ed07906ee6c4412ea0058d9a33d7507cdab35818571eefaacc6

      SHA512

      2c8f7ecaaa9e73ed1a32d4f84ed864fe1533412bb035a4d3032fdfb0ee081a4b4f4af82fea0a84d51a562823c76ad288983a6760aa7be21410a1274ead7947aa

      Download Submit

    • memory/2408-11-0x0000000000400000-0x00000000004EE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2408-16-0x00000000005A0000-0x00000000005A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2408-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2408-8-0x0000000000290000-0x000000000029D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2408-6-0x0000000000400000-0x00000000004EE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2408-7-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2408-5-0x0000000000220000-0x000000000022B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2408-4-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2408-3-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2408-2-0x0000000000220000-0x000000000022B000-memory.dmp

      Filesize

      44KB

      Download