gozi | c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
Size

632KB
MD5

222831dc032b9cd1dad652a777419574
SHA1

37d45f0c42caddf9516b715bbec8db679ff3cff9
SHA256

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7
SHA512

2f9778d283d5cb7467332924f7fef8e1e576a41fa4c572e6786632444f9aa82de31873e711324170e46cb7bb893ce0fa43e27d7608fa94a40eeecf4dd07a8039
SSDEEP

12288:wRWNcr8oxnLUiPclPA0DCQLsehJA3LQiEorgiYSsrGhtcLQaX:TNBILVIoQCoRJAke1rsrQtsJ

Score

10^/10

gozi 3000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

unikymprogress.ru

ferarirecord.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

UnRAR.exemd5.exe

pid process

2784 UnRAR.exe
1980 md5.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2480 cmd.exe
2480 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2784	UnRAR.exe
1980	md5.exe

pid	process
2480	cmd.exe
2480	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.execmd.exe

description	pid	process	target process
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3028 wrote to memory of 2480	3028	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 2784	2480	cmd.exe	UnRAR.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe
PID 2480 wrote to memory of 1980	2480	cmd.exe	md5.exe

C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
"C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
UnRAR.exe e -p83102a md5.rar
3⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\md5.exe
md5.exe
3⤵
- Executes dropped EXE
PID:1980

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
Filesize
299KB

MD5
f9388c6824adabb36596642ebc368db7

SHA1
7cf300de45e497224b4ee3a2891d961bb38cc7a0

SHA256
3a8020a4a16ea37a9d6fac6bbc8345e54dea92c247f4b9d630bc32780faf4dee

SHA512
db0c19d2d8e8d8879095e65f6d2216f32ed29f0832dc53023ac2c1bc3558330e7ad12cee4e74ca5bf6e65c3133b0b6f220eed9bb702e5022808f585bfcf26001

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat
Filesize
102B

MD5
d357b49de1eff9c0b92779cc4b976a81

SHA1
0662a967d7b462f7170882eebce4068f7a4c0fac

SHA256
64c2fd677a11e309a5eb51d83eac7295be72ddca5ca234e57c3e49621f0b416d

SHA512
f75903dbc4bad5e0a6b380723dc06047bdbf6da978ee2dd088231dfac761292e2d9bb762e6f5db02e50a0c26dff7836746c110e01381d0c6c1e7bcc1b9e4eeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\md5.exe
Filesize
423KB

MD5
199962380ea67533cbf4e28873b2444f

SHA1
94794d37c012a2ebff519a5a04cc38b2dd1b51f4

SHA256
551dd2d44ed5c9eea686678c540851abfcccbf8ea12d669c291fc3465e708437

SHA512
de4959fab7e6c0bd9b505b9e4303877bf68a427295257d93d13ea1d4de021c8a172d807f8a824f7d2f70a184b299f503fc450d070997e98ea3294abec2c30677

Download Submit
C:\Users\Admin\AppData\Local\Temp\md5.rar
Filesize
300KB

MD5
e68d6b097b47a80437a47cf4a3125341

SHA1
58bbfffbe452b71dea2df8d72ae9fbfd16d540f7

SHA256
df4ea1e37bbcf10c31548a309334b740e6dd16fd159e14c501ce6eebafe6fe39

SHA512
77264d9b87f11930c42f56cb9cd03419eee0e44ea6965f5ed05f90bb802da6f2fbd0118aeb01780eff44cba26f686a1692286fc57ae22e0305890b7a40b5934a

Download Submit
memory/1980-29-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads