Overview

overview

10

Static

static

10

5a71b92d9d...f8.exe

windows7-x64

10

5a71b92d9d...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a71b92d9d691754a5ff056b7d4aa819e26f2e55485d17623c5be00e431d91f8.exe

  • Size

    38KB

  • MD5

    7732d02d81d8c0b5b22cd6eab1b754f6

  • SHA1

    490743abb712f9875b9146e398a9e1b85ec84438

  • SHA256

    5a71b92d9d691754a5ff056b7d4aa819e26f2e55485d17623c5be00e431d91f8

  • SHA512

    d6e657d4824a4d79e771c3ec20006a216c4e25b47c2d9cdf230bc71973fd7fb0ec965aac8568f226d59d55dfe5705866b3f6e6b9e7d5d872afe15b2a96a77f19

  • SSDEEP

    768:3yyQXfpwh0ZOds/5EXv2C54NbptaDL0grngoZHYgXLBYfUV:3y9fpvZOdsx2v2+4b/aDLDrnpYgXLKf

Score
10/10
gozi4780bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

4780

C2

microsoft.com

avast.com
Attributes
  • build

    214084

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a71b92d9d691754a5ff056b7d4aa819e26f2e55485d17623c5be00e431d91f8.exe
    "C:\Users\Admin\AppData\Local\Temp\5a71b92d9d691754a5ff056b7d4aa819e26f2e55485d17623c5be00e431d91f8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2860
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:384
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2896
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1440
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4444
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3556 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
    Filesize

    471B

    MD5

    89e41da28cb2a41b5d1ca29c1814d2cf

    SHA1

    7472652c636607809a889570cded8d3b697058ea

    SHA256

    9d00ef4c25a1e32d8c85b0aaf285ed92f6a15a6be4571422a45d26ebf8ae1e89

    SHA512

    c2b9ad6cf4bf11eb4909b98cca7d8ca7ceb730a8393cf32376a8331d45bd52f2d6a7c79179bb822374486d87aa273c3c1cc599a5bf9845039322753ec03cf7ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
    Filesize

    412B

    MD5

    48b43c6c37c231689cdb19f884776ea6

    SHA1

    73e3213e5860bbff5e8bac3464526f4725094adf

    SHA256

    6be5e9be1350f5decc200840b3add302170fdcf01b7854a516d6039b46a83a04

    SHA512

    d2852f9998612a39ea184d75ea7b8add4c297787fb6f990f3643ba920437e967b434ce996ad6f77369a6622aa9ecc9ebeaf57411512c4400191f8e7ee23ecebc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
    Filesize

    4KB

    MD5

    da597791be3b6e732f0bc8b20e38ee62

    SHA1

    1125c45d285c360542027d7554a5c442288974de

    SHA256

    5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

    SHA512

    d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\WP9FRD6A\www.avast[1].xml
    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9mvnha2\imagestore.dat
    Filesize

    8KB

    MD5

    9e0b378bd555e7044914c3cb981590ab

    SHA1

    f4cbb819a5a41b7e6b08ebae3f104217535b525f

    SHA256

    a989381121604550ac4748d757cb8456983236b53695da053d35709d49671d31

    SHA512

    3abe1d21a414a0b33d886a451a26e6983e1da4ef52fa75d2959ae2ce954fe133ca2441bcb5501715bdb8a8fc2b9c00413b342a1fd775fcfa24c53e7863841b98

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MGQ8IQ23\favicon[1].ico
    Filesize

    7KB

    MD5

    be87fd81ff4e82e7ed57b0c8951c66d0

    SHA1

    4a918234d3225b585dffb7b6d587acb3fbb39618

    SHA256

    637b67152dba0b0b33c8aadb38ea7c86b7a12b37366c7183f898c36c222b04fd

    SHA512

    87ec908135335b4074d412b04188bf05d00f468400d2837ba2ca1c77440b6f2f15ba648f2a8f42b1301d77df54bf2a00e59416942807ccd90e36f59431638de7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YK2OJUB8\mwfmdl2-v3.54[1].woff
    Filesize

    25KB

    MD5

    d0263dc03be4c393a90bda733c57d6db

    SHA1

    8a032b6deab53a33234c735133b48518f8643b92

    SHA256

    22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12

    SHA512

    9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DFED50AA3913215AFA.TMP
    Filesize

    16KB

    MD5

    1cb1bd816b7bb88bda0e385096bff977

    SHA1

    fa745d83c220ed32bfce3148078832ddf1cca3ee

    SHA256

    af012dba8aa1fd3cb38d7b6a811858d55e6a200433b1f001f44d80ab8f226368

    SHA512

    2c735f56bef0ac3405c6d674b2dbce0e1cd4c463209e52374c7e34d7dcaece0a8a54f0a7de2036f00415d8e971522fb5283fc9a1684873394c13b0ab1ba72a7f

    Download Submit

  • memory/2860-0-0x00000000029C0000-0x00000000029CF000-memory.dmp

    Filesize

    60KB

    Download