gozi_ifsb | 02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

General

Target

02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe
Size

273KB
MD5

7f1d3c53b9ec4e4a0de133e294c59503
SHA1

0a5cf542342a579a2da13fe81f2a33e8beb2dd53
SHA256

02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74
SHA512

38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan upx

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

ACCTlg32.exe

pid process

856 ACCTlg32.exe

pid	process
856	ACCTlg32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe	upx
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe	upx

Deletes itself 1 IoCs

Processes:

ACCTlg32.exe

pid process

856 ACCTlg32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
856	ACCTlg32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\advadext = "C:\\Users\\Admin\\AppData\\Roaming\\capicatq\\ACCTlg32.exe"	02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ACCTlg32.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 856 set thread context of 988	856	ACCTlg32.exe	svchost.exe
PID 988 set thread context of 2868	988	svchost.exe	Explorer.EXE
PID 2868 set thread context of 3480	2868	Explorer.EXE	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ACCTlg32.exeExplorer.EXE

pid process

856 ACCTlg32.exe
856 ACCTlg32.exe
2868 Explorer.EXE
2868 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ACCTlg32.exesvchost.exeExplorer.EXE

pid process

856 ACCTlg32.exe
988 svchost.exe
2868 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2868 Explorer.EXE

pid	process
856	ACCTlg32.exe
856	ACCTlg32.exe
2868	Explorer.EXE
2868	Explorer.EXE

pid	process
856	ACCTlg32.exe
988	svchost.exe
2868	Explorer.EXE

pid	process
2868	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.execmd.execmd.exeACCTlg32.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 880 wrote to memory of 3228	880	02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe	cmd.exe
PID 880 wrote to memory of 3228	880	02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe	cmd.exe
PID 880 wrote to memory of 3228	880	02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe	cmd.exe
PID 3228 wrote to memory of 64	3228	cmd.exe	cmd.exe
PID 3228 wrote to memory of 64	3228	cmd.exe	cmd.exe
PID 3228 wrote to memory of 64	3228	cmd.exe	cmd.exe
PID 64 wrote to memory of 856	64	cmd.exe	ACCTlg32.exe
PID 64 wrote to memory of 856	64	cmd.exe	ACCTlg32.exe
PID 64 wrote to memory of 856	64	cmd.exe	ACCTlg32.exe
PID 856 wrote to memory of 988	856	ACCTlg32.exe	svchost.exe
PID 856 wrote to memory of 988	856	ACCTlg32.exe	svchost.exe
PID 856 wrote to memory of 988	856	ACCTlg32.exe	svchost.exe
PID 856 wrote to memory of 988	856	ACCTlg32.exe	svchost.exe
PID 856 wrote to memory of 988	856	ACCTlg32.exe	svchost.exe
PID 988 wrote to memory of 2868	988	svchost.exe	Explorer.EXE
PID 988 wrote to memory of 2868	988	svchost.exe	Explorer.EXE
PID 988 wrote to memory of 2868	988	svchost.exe	Explorer.EXE
PID 2868 wrote to memory of 3480	2868	Explorer.EXE	RuntimeBroker.exe
PID 2868 wrote to memory of 3480	2868	Explorer.EXE	RuntimeBroker.exe
PID 2868 wrote to memory of 3480	2868	Explorer.EXE	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe
"C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D9E\10.bat" "C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe
"C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2D9E\10.bat
MD5
080d26ee115b01a74a7e2d9d99cdd4ab

SHA1
d2ece7f90e7eb9cecd2f2249852efd5a7cc37cb8

SHA256
6885b9e820e6db3849a5c1dc9799e6a2cfacc67331960e1334371002588e7d0b

SHA512
24b9715d356a69dde79e97578a2ace3c167ef18c998adad926eef0736990225536a6b288fe8fa625aab05ef62c7d270acd54216ccb8159547af0eae694bc933b

Download Submit
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe
MD5
7f1d3c53b9ec4e4a0de133e294c59503

SHA1
0a5cf542342a579a2da13fe81f2a33e8beb2dd53

SHA256
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

SHA512
38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

Download Submit
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe
MD5
7f1d3c53b9ec4e4a0de133e294c59503

SHA1
0a5cf542342a579a2da13fe81f2a33e8beb2dd53

SHA256
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

SHA512
38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

Download Submit
memory/64-2-0x0000000000000000-mapping.dmp

Download
memory/856-3-0x0000000000000000-mapping.dmp

Download
memory/856-7-0x00000000021C0000-0x0000000002256000-memory.dmp

Filesize
600KB

Download
memory/988-6-0x0000000000000000-mapping.dmp

Download
memory/988-8-0x00000087E2C6F000-mapping.dmp

Download
memory/988-9-0x0000024D2A6E0000-0x0000024D2A776000-memory.dmp

Filesize
600KB

Download
memory/2868-10-0x0000000005480000-0x0000000005516000-memory.dmp

Filesize
600KB

Download
memory/3228-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads