gozi_ifsb | 7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9

General

Target

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe
Size

327KB
MD5

f3cfeb4d204656cdc50ff1e180dba05d
SHA1

1b18dff965566f28027c933878403d8e9f0cef75
SHA256

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9
SHA512

89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

chtbider.exe

pid process

1888 chtbider.exe
Deletes itself 1 IoCs

Processes:

chtbider.exe

pid process

1888 chtbider.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1888	chtbider.exe

pid	process
1888	chtbider.exe

pid	process
1996	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\DHCPupnp = "C:\\Users\\Admin\\AppData\\Roaming\\drprssec\\chtbider.exe"	7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

chtbider.exesvchost.exe

description	pid	process	target process
PID 1888 set thread context of 788	1888	chtbider.exe	svchost.exe
PID 788 set thread context of 1256	788	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chtbider.exeExplorer.EXE

pid process

1888 chtbider.exe
1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

chtbider.exesvchost.exe

pid process

1888 chtbider.exe
788 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1888	chtbider.exe
1256	Explorer.EXE

pid	process
1888	chtbider.exe
788	svchost.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.execmd.execmd.exechtbider.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 756 wrote to memory of 2020	756	7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe	cmd.exe
PID 756 wrote to memory of 2020	756	7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe	cmd.exe
PID 756 wrote to memory of 2020	756	7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe	cmd.exe
PID 756 wrote to memory of 2020	756	7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe	cmd.exe
PID 2020 wrote to memory of 1996	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1996	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1996	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1996	2020	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1888	1996	cmd.exe	chtbider.exe
PID 1996 wrote to memory of 1888	1996	cmd.exe	chtbider.exe
PID 1996 wrote to memory of 1888	1996	cmd.exe	chtbider.exe
PID 1996 wrote to memory of 1888	1996	cmd.exe	chtbider.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 1888 wrote to memory of 788	1888	chtbider.exe	svchost.exe
PID 788 wrote to memory of 1256	788	svchost.exe	Explorer.EXE
PID 788 wrote to memory of 1256	788	svchost.exe	Explorer.EXE
PID 788 wrote to memory of 1256	788	svchost.exe	Explorer.EXE
PID 1256 wrote to memory of 928	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 928	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 928	1256	Explorer.EXE	cmd.exe
PID 928 wrote to memory of 1712	928	cmd.exe	nslookup.exe
PID 928 wrote to memory of 1712	928	cmd.exe	nslookup.exe
PID 928 wrote to memory of 1712	928	cmd.exe	nslookup.exe
PID 1256 wrote to memory of 1984	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1984	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1984	1256	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe
  "C:\Users\Admin\AppData\Local\Temp\7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\C5EE\1F0.bat" "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe
        
        "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:788
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F8D.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F8D.bi1"
  2⤵
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C5EE\1F0.bat

MD5
a8e398ca3cdbcbf26c82e4577b29784c

SHA1
91f8a5e2028ded65e4f3bdddd83a6f0cd8b98d3f

SHA256
b77ef2ed5b0a388a884a2e8cd8c15a3a6924aad778304fcb4bad8d8870e0e17f

SHA512
03e375e6ba5e3ea50c8f9f98d82d9c9235e68e53e0477816b3799efab4412ef37ae2072065389db5619ac6be9cce8fd283c5233276c748fe0100452ec2cb8200

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8D.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8D.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe

MD5
f3cfeb4d204656cdc50ff1e180dba05d

SHA1
1b18dff965566f28027c933878403d8e9f0cef75

SHA256
7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9

SHA512
89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Download Submit
C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe

MD5
f3cfeb4d204656cdc50ff1e180dba05d

SHA1
1b18dff965566f28027c933878403d8e9f0cef75

SHA256
7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9

SHA512
89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Download Submit
\Users\Admin\AppData\Roaming\drprssec\chtbider.exe

MD5
f3cfeb4d204656cdc50ff1e180dba05d

SHA1
1b18dff965566f28027c933878403d8e9f0cef75

SHA256
7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9

SHA512
89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Download Submit
memory/788-7-0x0000000000000000-mapping.dmp

Download
memory/788-9-0x000007FFFFFD6000-mapping.dmp

Download
memory/788-10-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/788-11-0x0000000001BA0000-0x0000000001C2F000-memory.dmp

Filesize
572KB

Download
memory/928-13-0x0000000000000000-mapping.dmp

Download
memory/1712-14-0x0000000000000000-mapping.dmp

Download
memory/1776-12-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp

Filesize
2.5MB

Download
memory/1888-8-0x0000000000480000-0x000000000050F000-memory.dmp

Filesize
572KB

Download
memory/1888-5-0x0000000000000000-mapping.dmp

Download
memory/1984-15-0x0000000000000000-mapping.dmp

Download
memory/1996-2-0x0000000000000000-mapping.dmp

Download
memory/2020-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads