Overview

overview

10

Static

static

1

60eafa94ce...a30.js

windows7-x64

10

60eafa94ce...a30.js

windows10-2004-x64

10

Resubmissions

25/03/2025, 21:22

250325-z7241awn18 10

25/03/2025, 21:19

250325-z553wasxfy 10

25/03/2025, 21:15

250325-z39chswnx3 10

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js

  • Size

    1.3MB

  • MD5

    34686f47e7d2f9206fd5dab3814ed870

  • SHA1

    447fbec5fb2ffe97d839ce8ed56a75383dca02c1

  • SHA256

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30

  • SHA512

    092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076

  • SSDEEP

    6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Score
10/10
gozi3300bankerdiscoveryexecutionisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

3300

C2

addlock.mitial.at/api1

Attributes
  • build

    250141

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2788
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2684
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:472086 /prefetch:2
      2⤵
        PID:300
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1620
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2900eb3343e9d5d5724378d93e97ec9b

      SHA1

      f22c2c96f4cb781083acf46c3c5feb051f7516b4

      SHA256

      691f64af93a4a13eb2e20c1d2969b9c0e19cefc480388273d37baf861f021288

      SHA512

      aedb23da8fd010e4ea1770b10a984aca9edf09b05ee763e0b2496bf0609f934e2b78ac32c476a39d143771396548692f71025398479b6fe4337bef588eb40a9a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      4b77a4951fe9a306dc4fe87e1a8394e3

      SHA1

      326e11ebb06c20b3791689b8aea194f45f7cc125

      SHA256

      be174258e71a20953ad0c07293df89d099227b2b7b069ed4bb0d71df0cc7b794

      SHA512

      4126893e12102050eeb3d4c1ba5c89359a7a6c2aa17778a4c6a5675899e464a090c5d039d90fb91ec4dfcd9a21d7fcd44886f087342db1d8d4f6376f6385a9bf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5e04465983be1a03dee320cb15e3d9c0

      SHA1

      2d468f65f09029484e252938ee0fd6c911b8fc57

      SHA256

      685f6075c6c32d875c43eb572fe521f097c12b4fa4e666dec2e77ef96e4235f9

      SHA512

      f504429104ff9ba1849c4589704d7c34bb922aeff3e8469a9f1a587b05a4fb016d05fdb7e192f3f47a730c101f542e1094949be950c57d5442fd9cf4331d0a9f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2550e2590ebcbbb648a97b4fc461dacf

      SHA1

      32aa53c65ab04bed401d63c74301f954ea9e1196

      SHA256

      009ca59a2fbb248f32ad734239728169f93c0e9fcd075a5eb3ede42cb5196bfa

      SHA512

      a435bf0ad96e6ce06c681d3f5ccce08ad62ec4b1f22f0aabfcfe4490a47be9e67fb29cbe3eb6da5340f15cb31dcd825b3124e964b918e6afaf457624cb8ee4b5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e2c7ff5d7e57175df7e62100df27b38f

      SHA1

      0254fab2e13b9b750a7f441639bb865b8f06789e

      SHA256

      671007902906e26912aa6b52323fa4c438f10062b6dacbf995cd64bfcd00e3aa

      SHA512

      4fbb8b571c322cb36dd70008270a0f27778a6454ff4c049c9689102a4fc9763bdaf91a3d197a6a8dbc5dd60af231663e98698b0ff163858287c2069573e669d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f41b7d50596b256191ad6cefbe209829

      SHA1

      8566efcf2f2504904fd8ad394054e545d900e33f

      SHA256

      ada85ad5a39cb3571ccbd0aeb9a636145d1a433d14243954a4234766b995313f

      SHA512

      01681d8c01b68e5afc169ae3918e7d4f1c5707c9813456e5e3a52ecafdc7912c3a7fca9764bddeaba7ad4152294f1f84e474224776831188d3cc82903bc1ff47

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      74120394840fa249c81459d8dc9a1075

      SHA1

      b124fb2fe59b6e55792e8422d277a4a69ea7bbe0

      SHA256

      b7e9613f08ab3ea943d67c308c57011d61132f529335435c38bc2a77d608d8cb

      SHA512

      6151401018ea853654809780c056ed5eb7b4a0b2979133a8f4f6b376f2bc7d58261623dc3e6014756ef9c725741cab6a17036f374c641be2e62a5cb8f459f666

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      54d95fef0dab0565d94245a8382f1089

      SHA1

      e915565af2736aced3bafd6349e0a243616f5ab2

      SHA256

      94a5e912faf41118d667309316d369112a8701cedd249ac85b40537bdf77a7f6

      SHA512

      53afc18f5935943d072bd572ac9944774fb83c226b2aec0227d356866821ddce6be52f0120c9455b061348e2b3a169884a631de5a2c2191558a44a0d6d49bca8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt
      Filesize

      204KB

      MD5

      952bc67de7e7e40d3938ae5d9118bde9

      SHA1

      c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

      SHA256

      52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

      SHA512

      667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab38DE.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar39A1.tmp
      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF000CC63BBDB63B40.TMP
      Filesize

      16KB

      MD5

      d94ea53268c9a6d900b63d140d889dd9

      SHA1

      dd2c71e296ab6d154e53f0b427c9e85d79169122

      SHA256

      30465b6b32a263a74d7f61e8d034392b346d6e9a73ec1e264ba838778afc7998

      SHA512

      1558bebb7f2dec0ae0b79368bbcfe0534136344180050f04a9a6f99107b3bbcf6c0ea012385f89709a2659f3bc053567cca5b8907e334a5b8db57fb66903da89

      Download Submit

    • memory/2788-3-0x0000000002240000-0x000000000236E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2788-5-0x0000000002258000-0x000000000225B000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2788-7-0x0000000000240000-0x0000000000250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-6-0x0000000002240000-0x000000000236E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2788-12-0x0000000000280000-0x0000000000282000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2788-11-0x0000000002258000-0x000000000225B000-memory.dmp

      Filesize

      12KB

      Download