Overview

overview

10

Static

static

1

44fbfc91f9...36.zip

windows7-x64

3

44fbfc91f9...36.zip

windows10-2004-x64

1

60eafa94ce...a30.js

windows7-x64

10

60eafa94ce...a30.js

windows10-2004-x64

10

Resubmissions

25/03/2025, 21:22

250325-z7241awn18 10

25/03/2025, 21:19

250325-z553wasxfy 10

25/03/2025, 21:15

250325-z39chswnx3 10

Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js

  • Size

    1.3MB

  • MD5

    34686f47e7d2f9206fd5dab3814ed870

  • SHA1

    447fbec5fb2ffe97d839ce8ed56a75383dca02c1

  • SHA256

    60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30

  • SHA512

    092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076

  • SSDEEP

    6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Score
10/10
gozi3300bankerdiscoveryexecutionisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

C2

addlock.mitial.at/api1

Attributes
  • build

    250141

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1732
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2668
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:537609 /prefetch:2
      2⤵
        PID:2428
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1308
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2632
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      4504113f8e72a361534125b0bec8413b

      SHA1

      1bf59632ef1f39b272bd23964836494b2aa55652

      SHA256

      a21a757363366d11a7b6c33043c2c057839c36a098d31119fcac3f2a2cfa8a9c

      SHA512

      032ab39ae7b19457199f01d2201f4ec287fe0266ee9ad122988b46e56831356a8fe7da663c29cd01f3c925b0c4f4bcec63d5e192b2c74419f6cf2ecd03c01aa8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3c4aff51a7c726e00ce74d204995e8eb

      SHA1

      87a839a89ce3bbe209dad5ddf4fba3595f66ba63

      SHA256

      44568e9f1bd51afa3a5c74f66c1e069425709c89d5e6628452ca967c614eaafb

      SHA512

      018c04737a226272f7f21c79ce98d4665a32d95d8240546a52e163d8b8ae4161e4e60a341cce885194e57effd97c7f5e3662885bfcea6cadd5ec5a2e0d53a593

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b93eb88a83d496f6ae272cc23818f9bc

      SHA1

      77ba644d3eed23eeb7c4e1e5754ea6d078871391

      SHA256

      17d68b11fe8bf6456b61eec827073303a83b1c6ae00f19906a1e3740517a9fbd

      SHA512

      f45027e5b1ffa36376b4e4fc96fc8758779acf36c1d53c267ccd0357c5aac510c6a9518652e5212e70e5f69f458b8a99f1be54e987e749791890f34853e52363

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b3ed9d25e0d13eef0bbbcea8d1b74e24

      SHA1

      4fee5225d1dc03b29940360decfb7de9afda177f

      SHA256

      4e4e97e6642477bc8fdbb6a1ce77fa44a97fa322dfa7a7fb66153b7e731c94bb

      SHA512

      86e3aa423e2f754dfc7561638bd18ec9ade7b739a90a0bae6dc48118bb3540c273ea63adddce295fc48702d6943bfc2fd18ebc4f822c211223849b14f072093b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8a789776f12615ab030de3da692ec729

      SHA1

      658003fba8c62084f907783b619c006e858661aa

      SHA256

      80baf1cc700b87b4be831ab867fef24b153e7006269fdfeb89c756e9f7c8609b

      SHA512

      46fbef8a6eebe5fc5260e70a36f329c57e6a988abcd94dd8a059de788e78fb9f83a54b5f492983ac59fd887c2eb4f6a9ca1bd0cc9d089bcd15189c9e2c5bb141

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5dfb106dfe1d49c945022787e425ea3a

      SHA1

      4aa64118baf1467076adfc2f70bb7e0a210588ab

      SHA256

      84387d5b2b04910389cb8d08827318ab3a5461745587210e5e8c01fee9f28e6b

      SHA512

      42077623d6f334fb7c16a5cdb9bc35304c3e93656e171ed955694fb589c56c8849a1cc3a02e13c953d36bd08f01819cf441b863eb0718901837c0acfd94b38e4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0c91a940d822c819068b0876afa9be54

      SHA1

      45a9364f9c09fbc4338ab201abed90557c221120

      SHA256

      90f17d7860d4eac0a38d197404bac965f801d5c841e82ca6406e3478f411cd23

      SHA512

      23a59a7b3533e411a13b46c7711fb13ea03ad64b26cd68975411ab0440c2673a4508b5bfb26ff2c4b0a02cefe8f749859fea717ae50150af1d63feb869d3719f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1d43e7306735274dfb2a2413442c9154

      SHA1

      360e7258f58dc1c322a98ecfbe91faa069bd38dd

      SHA256

      620f962a45add9fc4aefb3b1fd6e987287cf187830c1f6f827444e5a9b17c5da

      SHA512

      1350ec48266d262bddbb26fd818587c6ee406898fbd224c13607e909e64a5139902900a0133793a6c1e1f039a1f4bb1f2e4a764ad73096cf04ade9a694204cc2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      59727aa0bd37e530e05af86fbce8c614

      SHA1

      b1be4b02002b0b216b66a897c671a61241391f6a

      SHA256

      dc20c2bd88fa6e2356da9e647e9f17a200d95b2c94878545ec6164859eeaa546

      SHA512

      9901b92ab87ee25932b726d55e426a4a1d1c18487b8014e8e8e0b6d2ed85c58653c1e898c6bd2a59d8e82361e45dab4a3dd8aeac48219dde9fa658eedca7f626

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt
      Filesize

      204KB

      MD5

      952bc67de7e7e40d3938ae5d9118bde9

      SHA1

      c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

      SHA256

      52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

      SHA512

      667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3635.tmp
      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFD7DD74643A5797B8.TMP
      Filesize

      16KB

      MD5

      75860394720ed50f48bbb58425a35663

      SHA1

      8944a6e0aad1995592450aa97d532e601ae0505f

      SHA256

      711c1b3c4939f60607e9609d12308bb6fa2d7af8d6fb13144c54ece177d9a6ea

      SHA512

      1ac5c86e974a3c52a1c589e8bfebcb3a54eb83b81bedb1cdd1638e6bf9347f59a9f70c89bd5bb9dad177b44a4e7c0e66d16ffe74abd97d05940c586bbca9b404

      Download Submit

    • memory/1732-12-0x0000000000240000-0x0000000000242000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1732-11-0x00000000022A8000-0x00000000022AB000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1732-7-0x00000000001F0000-0x0000000000200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1732-6-0x0000000002290000-0x00000000023BE000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1732-5-0x00000000022A8000-0x00000000022AB000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1732-3-0x0000000002290000-0x00000000023BE000-memory.dmp

      Filesize

      1.2MB

      Download