Overview

overview

10

Static

static

3

07a73fb70f...a2.dll

windows7-x64

10

07a73fb70f...a2.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2.dll

  • Size

    119KB

  • MD5

    c8392d93a1f064a53abb61887cad409b

  • SHA1

    20c77abcc1e3904bf337af924200d63aaa012b1b

  • SHA256

    07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2

  • SHA512

    1b677b00d7db9266a9c05f653e3dcbacd6a9ff29fa84ffcc64775b1e200618b73ca142de333116194e2937bebcd9a7008fd2112fb615cfac459c2973bcb625a8

  • SSDEEP

    3072:3VtPSsu5yds0ZCzsRqojgfwE3DCW/5z5TCXq:lUT5yd3ZCXfIQR95Tf

Score
10/10
gozi7242bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Botnet

7242

C2

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

settingsline.com
Attributes
  • build

    250162

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1852
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2268
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:209934 /prefetch:2
      2⤵
        PID:1496
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1848
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:912
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      31e818fe4cbfe9f6367b02f471088219

      SHA1

      1241523203df08ed193e955725e03c9ce1daf060

      SHA256

      f5569861ddbac3030863e0d97ca1b5c10a3c718784027d02d96d0e5849341ec1

      SHA512

      5953540923dec16aafb5db9821861b34c571d38a25a557365534cf06f610518eaf09b590ed6dda4472c53c91c75279c46b1570de18c78f2d6bf41c236d0e6983

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      132293abdfadac20cad85620c4e79395

      SHA1

      5ea40151445d8970b48b802afbaac5db00b68a7e

      SHA256

      d113df123fc8ded91ce41d3d38eec91956c99b41019347d535edcd02610c766b

      SHA512

      08ceb12299cc811610b2bb7cde51e76478cacc84fc2df953deaef5f731d766d996c9a84f4ae72cca644ad6b03421aa1c1630eaaf5883c833d88b4dee0baf0be7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9f2ce4a49e30495c600664630ab58994

      SHA1

      8eb2520fb5b66187d90083e4e7c76573b3f2bd1a

      SHA256

      6c09eb15515e37e93c0783bf91557095b7783c91765972da835622257e8d61cb

      SHA512

      ab6571f32369d5e59a4864924135b67b72354377827cf82b3bb09a89ede23e8ac105084acf20a957e1582f8d47652903a1e6274c9f316ddf74fa74a82b177299

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7d260a706ac5fd520ca10d1a9a927ae4

      SHA1

      14818befb1f259bbff47a9e10c8df08976c49e79

      SHA256

      80da7b49ff9c74307ea98373255931fd64c8c99bb3361ba7dca0c11d10db7fc0

      SHA512

      4b0bf4e7efaf84c6b5ec8ab5a0d7a08e0377b17b29d26635851683f713403adaa16ab6933926696cdc1268759e5d8c309ebe6f91810b80898e2f03bbbb1d3b59

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fd1c4255b9d1a0d50b0c98332bafe934

      SHA1

      51c9a7d02e5912ee63c02733a930366ca59a39a9

      SHA256

      b7b21fa925c04515c42100366ecce534d390373ee25f54b899771d5cb34fa563

      SHA512

      5802a652db2c925c3a6cc77bac4672b5be93c24476566786635ead1cc7f42faf65c091eedfbe0f2e7cfe0c9984b8c4dd6a6af0db4035e07aa08b08de39d61e5a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc1c40b03d610ed842e2844c90b0b141

      SHA1

      42116cf6940418be72831c01973d12a91c499ab2

      SHA256

      813f9193c6accb5086dcd24316044bf64280b60517b0b90c236c6489699ffff6

      SHA512

      e383b5f3032d811c18f24f2524cd36f8aec99a90a2fd633a4d8fb417fbfd153803fe78b286571a05cadb2467398b61054763fa1b2b8ebc016fd42f536813a2ca

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9db5b1147c5715d5d4105cefdb85f56d

      SHA1

      6325bd1318454f859710bfe70b039a02798f40dc

      SHA256

      661b8511586f042b93eb37bc2e820d6c8c7ce4449ba4c815f4020006621fe46f

      SHA512

      93d00bb818d33724fbc457d3ff28b9a6bfca9db2252be9165f09932026e3f87085cdcc5a38550f9c7731e8cbfcbb8f4437c9fbf0666ee0e9e1a67151439987ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8f8ebc43b026ad5384ecc6b790d0419b

      SHA1

      cefc928a03887f167fcaab5fc39aa89ce54cb871

      SHA256

      cf9a2069bf37a58251e21f646e7eb16822ab5f26a3a9d91c8a47ab49a7258761

      SHA512

      ecac2f1287541e4260f31d4fdbd4f21d0e5aabdcc59eb5fdc4f9ff3bbe733890b1cd5eb4311084f56bd484f95c49ae69823237190a95981ff39606be1e62124a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabCFE0.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarD0A2.tmp
      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF60CE3A918DF14DD5.TMP
      Filesize

      16KB

      MD5

      bca60278a636a653c69b27738b15621a

      SHA1

      50cf7646e322991b4a6535507f0e76dd9742d358

      SHA256

      625519b679f87a62b5dd67c232936df95588eb41140b8e0bf1732c3be11cac78

      SHA512

      6b8b46fb45129dd570e4e1e72f7bd843eefd268b7b5b8a8f6ef87457b16db29650de8a5bcb5fa128ac3134d26b793ab31b49b757959ca9020d4dd30884ccfc4e

      Download Submit

    • memory/1852-0-0x0000000000C90000-0x0000000000CB5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/1852-12-0x0000000000C90000-0x0000000000CB5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/1852-13-0x0000000000C91000-0x0000000000C98000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1852-5-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1852-2-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-1-0x0000000000C91000-0x0000000000C98000-memory.dmp

      Filesize

      28KB

      Download