gozi_ifsb | c81150d0d07583bfc8201f12f2587e760eaa988eff34bfab4bdb662b91f34242

General

Target

kpt1cab (2).dll
Size

196KB
MD5

8aa16faf942d1fa3e7855628f73aec25
SHA1

4e03f84d73f3c2fd324bdb53d74a6bf4e258190c
SHA256

c81150d0d07583bfc8201f12f2587e760eaa988eff34bfab4bdb662b91f34242
SHA512

cd170bf18ff81211a4e6aa89067687378bbcd7f34e014560cf90da98d903026ba8e5462592621132a37c7aff26138ee2de1cf81848766ae3eea01bbca813af01

Score

10^/10

banker trojan gozi_ifsb

Malware Config

Signatures

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 384 wrote to memory of 2860	384	rundll32.exe	rundll32.exe
PID 384 wrote to memory of 2860	384	rundll32.exe	rundll32.exe
PID 384 wrote to memory of 2860	384	rundll32.exe	rundll32.exe
PID 3816 wrote to memory of 3224	3816	iexplore.exe	IEXPLORE.EXE
PID 3816 wrote to memory of 3224	3816	iexplore.exe	IEXPLORE.EXE
PID 3816 wrote to memory of 3224	3816	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 1828	1468	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 1828	1468	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 1828	1468	iexplore.exe	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid process

3816 iexplore.exe
3816 iexplore.exe
3224 IEXPLORE.EXE
3224 IEXPLORE.EXE
1468 iexplore.exe
1468 iexplore.exe
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3816 iexplore.exe
1468 iexplore.exe

pid	process
3816	iexplore.exe
3816	iexplore.exe
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
1468	iexplore.exe
1468	iexplore.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE

pid	process
3816	iexplore.exe
1468	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C27166B-C1CD-11EA-95F0-5A00C6755A7A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30823898"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a81f71da55d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000f4f3f50bfbb88ff6b4a27429777ff60466a33aad252e98234805995ade9eff64000000000e8000000002000020000000e02dff57282be435770c1e33f47383cfcc2a9d56d1958bcd572e559c6c9e255e200000006d383246062fbc08aef3f176339d80775d29cb537a74727a48b0576218f915ff40000000f534a084b7aa3b08fa04ca41981522afff7216f602b3896635977a0c6518853fd2d8087fcd67e1d01227947bf7898dac89cafac914e8a8ec12e1bc8855170827	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000b6b8f76e1bcc049978024f68258e70b2dff33a3d1f8e5b3c2a1dd3a58081b0c3000000000e8000000002000020000000eb2bff3f8d5c6f08f92a521269cdb1a50829ed9283e1567b3adf2203ed78e0a1200000009232570d86fedd1c04e0bb30fe709f3572d73b2a259c19e2b3439a0e6c11c06840000000957c3bc947622d26cb035cc2b58bd6e7d85d6fbbcb99800889cdff261c024bdf316ab9ff200d45a244e40691d9853186a8f7e3f12cafe0b42081c2fc2a7fb456	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30823898"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1889621729"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0da2278da55d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000e02a26258d74fa6f556ce0b1fb36c1020fc915c2fb34935932ac3066f91067ab000000000e8000000002000020000000dc123f3954a267480de8422b2bcaea4e642e85ac4992215f43ec94f384cc9a762000000045d29c61da06d7df19c999473c2c3135cac60c2ee304ccb8ea4faeec854579c64000000082a5f2326f2215ffbfe465ca195d12e824b90e2eac30b4dd14e90b0cde8a4da4604284e008255ad4a598eab518fc1b2e8b6e39159b8f801eb8aa597427de8844	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5263DAC-C1CD-11EA-95F0-5A00C6755A7A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1889621729"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d42671da55d601	iexplore.exe

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Checks whether UAC is enabled 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\kpt1cab (2).dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\kpt1cab (2).dll",#1
2⤵
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
PID:3816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3816 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
PID:3224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
PID:1468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\X03OIIPO.cookie

Download Submit
memory/1828-2-0x0000000000000000-mapping.dmp

Download
memory/2860-0-0x0000000000000000-mapping.dmp

Download
memory/3224-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads