=
flash

gozi.exe

Status: finished
Submission Time: 12.01.2022 13:00:18
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

  • exe
  • gozi

Details

  • Analysis ID:
    551701
  • API (Web) ID:
    919227
  • Analysis Started:
    12.01.2022 13:00:19
  • Analysis Finished:
    12.01.2022 13:18:16
  • MD5:
    8ee79738c37a919fdf38dc5a621556ce
  • SHA1:
    ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
  • SHA256:
    51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
26/68

malicious
14/35

malicious
28/43

malicious

malicious

IPs

IP Country Detection
144.76.136.153
Germany
185.189.12.123
Russian Federation

Domains

Name IP Detection
myip.opendns.com
102.129.143.64
resolver1.opendns.com
208.67.222.222
transfer.sh
144.76.136.153
Click to see the 3 hidden entries
io.immontyr.com
185.189.12.123
apr.intooltak.com
185.189.12.123
222.222.67.208.in-addr.arpa
0.0.0.0

URLs

Name Detection
http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
http://io.immontyr.com/cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew
http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr
Click to see the 46 hidden entries
http://www.fontbureau.com/designersG
http://www.fontbureau.com/designers/?
http://www.founder.com.cn/cn/bThe
http://www.fontbureau.com/designers?
http://ns.adobp/
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
http://https://file://USER.ID%lu.exe/upd
http://www.tiro.com
http://www.fontbureau.com/designers
http://www.goodfont.co.kr
http://www.sajatypeworks.com
http://www.typography.netD
http://www.founder.com.cn/cn/cThe
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
https://transfer.sh/get/3dvhcv/lia.exe
https://contoso.com/
https://nuget.org/nuget.exe
http://www.galapagosdesign.com/DPlease
http://www.fonts.com
http://www.sandoll.co.kr
http://www.urwpp.deDPlease
http://www.zhongyicts.com.cn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.sakkal.com
http://nuget.org/NuGet.exe
http://www.apache.org/licenses/LICENSE-2.0
http://www.fontbureau.com
http://pesterbdd.com/images/Pester.png
http://ns.adobe.cmgR
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/Icon
https://transfer.sh
https://github.com/Pester/Pester
http://www.carterandcone.coml
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.founder.com.cn/cn
http://transfer.sh
http://www.fontbureau.com/designers/frere-jones.html
http://constitution.org/usdeclar.txt
http://ns.adobe.ux2
https://transfer.sh4jl
http://www.jiyu-kobo.co.jp/
http://www.fontbureau.com/designers8
http://ns.micro/1

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 19 hidden entries
C:\Users\user\AppData\Local\Temp\3B0F.bi1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\5n300s0s.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5n300s0s.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES73F8.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES8712.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epyy1szg.01u.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\hscan34n.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\hscan34n.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\hscan34n.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\DeviceFile.ps1
ASCII text, with no line terminators
#
C:\Users\user\Documents\20220112\PowerShell_transcript.768287.AFX4atZf.20220112130217.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\SettingsDocument.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
#
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
#