Overview

overview

10

Static

static

1

d7fafabbb3...f3.dll

windows7-x64

10

d7fafabbb3...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll

  • Size

    234KB

  • MD5

    c9d954b3f1c512e6804fd8f5637b58b6

  • SHA1

    b452040d8072117ddbe1adf9e1eab5e4bdb150bd

  • SHA256

    d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

  • SHA512

    a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

  • SSDEEP

    6144:SCY2oo127AHBPr4CggrMbPMdsf5LLNBU94nzKE:SSD6w4bKsf5PUomE

Score
10/10
gozi3050bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3050

C2

c.s-microsoft.com

ajax.googleapis.com

groovcerl.xyz
Attributes
  • build

    250166

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3212
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:940
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5360
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5360 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4564
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5328
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5700
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4812 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
    Filesize

    471B

    MD5

    a7bdbc839b37be41f3f97eace5a7a837

    SHA1

    d29d93311999f94110ad379847c146e4999c2bc7

    SHA256

    ae7d1a6f478f0451b1a0323ce4e49c2fa6f2024fde64c2faac9d177f33a1472f

    SHA512

    e17333c9b10e6542bf05e6769996ee83a39c5773ce6896aa4b2be4b09c552f760f4a78e86edbc4e93c4ce66c8790338e6ae009f7bebfb13453afa17164806ba9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
    Filesize

    412B

    MD5

    0b1dca93962f940dcc9c9bb27f304e40

    SHA1

    eb35ff4c2cd06b0367b145993aa9f8d8d758a49f

    SHA256

    6a05c0d64cddfc43a2f79054ef6a2b30da8bf3d3d8b77cc02f65f69ace1d2c58

    SHA512

    e797cccbbdd9c1bda65760515454ac937cb9c0384f80065cae77e9577c1e163d621f5bfe12239f93a5f0fa0738603a3c7199aa54f48f9001a4d677ed0d1dd3fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\mwfmdl2-v3.54[1].woff
    Filesize

    25KB

    MD5

    d0263dc03be4c393a90bda733c57d6db

    SHA1

    8a032b6deab53a33234c735133b48518f8643b92

    SHA256

    22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12

    SHA512

    9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DF5FC4EA1B2751C186.TMP
    Filesize

    16KB

    MD5

    97f9c0cf850e40cf13068c77e136c0a8

    SHA1

    c6d9491e372c8a81087d82d686de5a29ea9c7ea2

    SHA256

    5f98b9f966d01cce717744e9aa429901f8428362304e9ee4ea12bfb9f3b78e00

    SHA512

    84d37b290ab924b6313b0bb5d7ba7d0b9b6806d32dbf787e825bcae8216669113434c0c5a97a187f4a3d1c6dc07887d214cf9a079c0abe35fcecb38798197186

    Download Submit

  • memory/3212-0-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3212-1-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3212-12-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download