Overview

overview

10

Static

static

3

2025-02-22...id.exe

windows7-x64

10

2025-02-22...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2025, 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe

  • Size

    613KB

  • MD5

    763e253ea36530b8209a104a39b6e685

  • SHA1

    2473f962fbf9732980e69c46bb28e60037aa28a8

  • SHA256

    5ecc261daaeff24273d1ab2914b1eb2d4386c5d5ad40d7a934fec816237ec641

  • SHA512

    12e6d73ec045aa6552365c94b78f4105fe295b0bf1b4d9adf79946cf21a758ac2a59ff8ad3e44a5b71e26c4a4caa845a77435d3dfa515c266fd0ed9c6b7c0a13

  • SSDEEP

    12288:9Q+6Ii6F0WIxH9OijnA2cEMAPCeTA3CO6OpIR99g9ssdHPCHqKRgJBUM9Q3M2:u+6t6FeH8ijnA2cEfCLCnOpgNRgJBn9G

Score
10/10
gozi3494bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3494

C2

google.com

gmail.com

z72aoe50.com

tarneps.top

wxts86squom.com
Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1588
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2776
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:209930 /prefetch:2
      2⤵
        PID:928
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2308
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b8c4e6c109b4763b957db4465c19e233

      SHA1

      546aaf859712ab4c0e0af00b1bc6a27dbdcb2495

      SHA256

      12c86af71fc7ed366dacce02d6ff4e9276f66211b5d08cb305971a9c1aec2f08

      SHA512

      e3b65de203a8f8290bb1f7853e6b5025d296dbfd08612b077501af6726745afd98d0a185f535e389437a85d2f57f468d8018c4bb9b981f0ac0b7f6baac664dda

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      777166a266d5d2d679d3a44be64003ce

      SHA1

      1a9f51dc967798ffe223b9b23d4f50ecc9b9835d

      SHA256

      8be22bd935a5799447aadfe58fc5fa071c68b8abb4738dc9d0ec5a7ebe8f5a07

      SHA512

      39e027f79a09956dfdc0f08d10e3317b75b09b41690798d991ed36ebb05a1fed00032a3832ca2fa259a1a13f1a5a3bff8ec502a50cf8b1226dd65726c53204d9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5a09eef25cca65b9be282f7efedb41d8

      SHA1

      0ddd8127c80304f0ef8848f1f35d4a3efd552775

      SHA256

      fb07b9a92cf283c6edfafed42d05905721d2724d6cb342973c7ea1a22552693b

      SHA512

      a967a1f491cbc0ac961ed3ac18e7c70a0e43197b8513b3ecd39ea5127cf8075e5ac55c23e719dbca2acb98224c21f3a01c0b35d45b94bbeb751c5e0644ddbaf4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f2ee7d95a86d28285e50b4a357a2b91b

      SHA1

      01d0708a4d08c74aee649e77da8ab2c93a2deb6d

      SHA256

      41feb51ba81d382794d9c394a96cf84a5ce6a612f6cbf3363ccfef43b4ccbc26

      SHA512

      6361bfb4e17113f698eab49282038e2650d6f08a4988c81538eaef93d267b763b22d2689be1b96910aa1c74b21937bf4f081ce996cd8410cf190c29f8717d44c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ce3ff50ee29a80cb000467a86c684cd3

      SHA1

      599db929d537ee11fee18281fab09ca90ed45966

      SHA256

      cdb3bd8c5eabdc57d3fbd02755aaab6d4e01e0cc1bf4c50fc758bf4461aec944

      SHA512

      62c3d765a71a84de30e115197a867c8e7796d8fc7161f66cf4b8a2db34c3538ddcb19007651b503b06e23fae8cb1b9fa377ef93415b04009e7f1bb11ae623852

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7f4bbaf50b3114123bf4a0c730352ea1

      SHA1

      ba1170bd0754848705cdd38fbb6f10938f0fba90

      SHA256

      843c506872831c45ebea36a71025bdbbaa98f5ba729e5b7559ceb95c2e44cc59

      SHA512

      4109e4d1ea3475d103e96b62c44bd2662a1a76bb8e8156630448f832b3bd69f24c1ff9b0496cac8158b9e2e77c221ed44d298c8c191438280db2ec161e088562

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4895d08d7cf785a50367296e3f1aeb54

      SHA1

      105f11ce107f6720a0aeaeea31f2421164d66f0d

      SHA256

      f3d0ea0ab735a4aea631625d33304113975bc57fa6a7f640892f92dfb8f2a5ce

      SHA512

      7795e885aa909b963a79e29e2c704090a210e06f2a7b7e4be7f15684dc5c0e7217af4096076977adfa420ce38f2ec4b6c5dba0c6c7475623b3ef35d4eb6356f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4ab81027ff9d640f26ce92b3e0ecfe3f

      SHA1

      5570910ba8397e8c476d131902428c7cecafe1a6

      SHA256

      3546d9651c342d4544141707155383f31b91878f46abb3857f67280f0f53be05

      SHA512

      0b7da39fec7556ed9143ca669b2b017cf454d62c22bf6436fed176b0029e49bc3b7c787d8e6511b6d331e3c70f43361593b6241614940d78c45c6da0a67fafe9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      552216823d9ba93fb7cf532a8ffe8cc2

      SHA1

      ff29e9e66d4283b8cc0adc6e6193170978b36c14

      SHA256

      cf6e27f8c75684d6e396399711430d9b8a71eaf951f058a5dfdf079fc34022ba

      SHA512

      6c72d7c2ecf7ea6f3a856433dcbbc19f1e283b463512654df9dbf6c03a322ea8ccf9eccc2d3f17ba6691cb5ae92bb828bd722b0de368f6b20ea72356d4335cc4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab2C9F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2D2F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFC540120D16AA9B7C.TMP
      Filesize

      16KB

      MD5

      62b54c3e173e6c01d5fd5eedafdc69cd

      SHA1

      b82b254214ae7a98b2d342142ba7309f8b167956

      SHA256

      9a8d33b83a773ba9f0c45f5f6de4ea505f121bb1769a5883df8821656a1858e4

      SHA512

      54de6799034ad29567aef4cb9abe90c5001ca8ded13ba4516ad77e5d51ebe1b7cc8ec5fb65be66dd6ee0c8ee44fc92ecdbd694b6282f961295ef8caa66756a19

      Download Submit

    • memory/1588-0-0x000000000049E000-0x00000000004A1000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1588-12-0x0000000000600000-0x0000000000602000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1588-11-0x0000000000400000-0x00000000005F9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1588-10-0x000000000049E000-0x00000000004A1000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1588-4-0x0000000000340000-0x000000000034F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1588-1-0x0000000000400000-0x00000000005F9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1588-2-0x0000000000400000-0x00000000005F9000-memory.dmp

      Filesize

      2.0MB

      Download