Overview

overview

10

Static

static

3

2025-02-22...id.exe

windows7-x64

10

2025-02-22...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2025, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe

  • Size

    613KB

  • MD5

    763e253ea36530b8209a104a39b6e685

  • SHA1

    2473f962fbf9732980e69c46bb28e60037aa28a8

  • SHA256

    5ecc261daaeff24273d1ab2914b1eb2d4386c5d5ad40d7a934fec816237ec641

  • SHA512

    12e6d73ec045aa6552365c94b78f4105fe295b0bf1b4d9adf79946cf21a758ac2a59ff8ad3e44a5b71e26c4a4caa845a77435d3dfa515c266fd0ed9c6b7c0a13

  • SSDEEP

    12288:9Q+6Ii6F0WIxH9OijnA2cEMAPCeTA3CO6OpIR99g9ssdHPCHqKRgJBUM9Q3M2:u+6t6FeH8ijnA2cEfCLCnOpgNRgJBn9G

Score
10/10
gozi3494bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3494

C2

google.com

gmail.com

z72aoe50.com

tarneps.top

wxts86squom.com
Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4196
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4936
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4148 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:964
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3652
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5004 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:736
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4028
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4820 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1DKHYZAK\googlelogo_color_150x54dp[1].png
    Filesize

    3KB

    MD5

    9d73b3aa30bce9d8f166de5178ae4338

    SHA1

    d0cbc46850d8ed54625a3b2b01a2c31f37977e75

    SHA256

    dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

    SHA512

    8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1DKHYZAK\robot[1].png
    Filesize

    6KB

    MD5

    4c9acf280b47cef7def3fc91a34c7ffe

    SHA1

    c32bb847daf52117ab93b723d7c57d8b1e75d36b

    SHA256

    5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

    SHA512

    369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DFADE2DE16AEA1FC2F.TMP
    Filesize

    16KB

    MD5

    55b09d75913da054ac644cb1e6c50b22

    SHA1

    1e5a1017dbb0bd97f26a9d45d9a1eb43f7c8b587

    SHA256

    6a17b8a5682d9b6d452d7cf104cc3d465579467d07fe20b87fdcfd10f73ed8d0

    SHA512

    34c0765ec68ad43e6adbe4a099a50eebdbfc1adb561f7373b327fe33545f4b07258b6c629fc0f9bd180421dfe5789cfb1f1dfa01957ba7a5af8d0324145b0c6e

    Download Submit

  • memory/4196-0-0x000000000049E000-0x00000000004A1000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4196-1-0x0000000000400000-0x00000000005F9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4196-2-0x0000000000400000-0x00000000005F9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4196-3-0x0000000002220000-0x000000000222F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4196-10-0x000000000049E000-0x00000000004A1000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4196-11-0x0000000000400000-0x00000000005F9000-memory.dmp

    Filesize

    2.0MB

    Download