gozi_ifsb | d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba

General

Target

d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe
Size

365KB
MD5

7012fcbeda3bebbceef18eba8e2a78db
SHA1

64bf265931d406c6c1632c5a6a16cbf335b1202e
SHA256

d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
SHA512

9761ab641cc625e804922522c6b89d95f1dee7325f634d39f6f8eb71cd45af8b75f24152759ee59977cf026fa696d85d77161cd3db246915b2240e31c1f69a6b

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

bcryider.exe

pid process

1692 bcryider.exe
Deletes itself 1 IoCs

Processes:

bcryider.exe

pid process

1692 bcryider.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

344 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1692	bcryider.exe

pid	process
1692	bcryider.exe

pid	process
344	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\capiript = "C:\\Users\\Admin\\AppData\\Roaming\\Devidisc\\bcryider.exe"	d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bcryider.exesvchost.exe

description	pid	process	target process
PID 1692 set thread context of 1660	1692	bcryider.exe	svchost.exe
PID 1660 set thread context of 1268	1660	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bcryider.exeExplorer.EXE

pid process

1692 bcryider.exe
1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bcryider.exesvchost.exe

pid process

1692 bcryider.exe
1660 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1692	bcryider.exe
1268	Explorer.EXE

pid	process
1692	bcryider.exe
1660	svchost.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.execmd.execmd.exebcryider.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1796	1744	d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe	cmd.exe
PID 1744 wrote to memory of 1796	1744	d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe	cmd.exe
PID 1744 wrote to memory of 1796	1744	d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe	cmd.exe
PID 1744 wrote to memory of 1796	1744	d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe	cmd.exe
PID 1796 wrote to memory of 344	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 344	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 344	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 344	1796	cmd.exe	cmd.exe
PID 344 wrote to memory of 1692	344	cmd.exe	bcryider.exe
PID 344 wrote to memory of 1692	344	cmd.exe	bcryider.exe
PID 344 wrote to memory of 1692	344	cmd.exe	bcryider.exe
PID 344 wrote to memory of 1692	344	cmd.exe	bcryider.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1692 wrote to memory of 1660	1692	bcryider.exe	svchost.exe
PID 1660 wrote to memory of 1268	1660	svchost.exe	Explorer.EXE
PID 1660 wrote to memory of 1268	1660	svchost.exe	Explorer.EXE
PID 1660 wrote to memory of 1268	1660	svchost.exe	Explorer.EXE
PID 1268 wrote to memory of 1720	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1720	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1720	1268	Explorer.EXE	cmd.exe
PID 1720 wrote to memory of 988	1720	cmd.exe	nslookup.exe
PID 1720 wrote to memory of 988	1720	cmd.exe	nslookup.exe
PID 1720 wrote to memory of 988	1720	cmd.exe	nslookup.exe
PID 1268 wrote to memory of 1708	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1708	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1708	1268	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe
  "C:\Users\Admin\AppData\Local\Temp\d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1DDE\EEF.bat" "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe
        
        "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1660
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B934.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:988
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B934.bi1"
  2⤵
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1DDE\EEF.bat

MD5
6b755eae8af19c5c6c577380117cc321

SHA1
c274fed0510070d970896aad9ea70ae50deea61f

SHA256
c5949aa1c4ae0448e60bdb48f18008a196ed445af9f6a57cd6889a4b0a01d9de

SHA512
c8c9d5497d8b452b55182e80b12f236ab5dd4f12276d8f9af9eccb1bc46eae8fac8e1239c11c68b814f44aefd712d83bc1f95b2d7b1d51b7853236bf3942b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B934.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B934.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
7012fcbeda3bebbceef18eba8e2a78db

SHA1
64bf265931d406c6c1632c5a6a16cbf335b1202e

SHA256
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba

SHA512
9761ab641cc625e804922522c6b89d95f1dee7325f634d39f6f8eb71cd45af8b75f24152759ee59977cf026fa696d85d77161cd3db246915b2240e31c1f69a6b

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
7012fcbeda3bebbceef18eba8e2a78db

SHA1
64bf265931d406c6c1632c5a6a16cbf335b1202e

SHA256
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba

SHA512
9761ab641cc625e804922522c6b89d95f1dee7325f634d39f6f8eb71cd45af8b75f24152759ee59977cf026fa696d85d77161cd3db246915b2240e31c1f69a6b

Download Submit
\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
7012fcbeda3bebbceef18eba8e2a78db

SHA1
64bf265931d406c6c1632c5a6a16cbf335b1202e

SHA256
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba

SHA512
9761ab641cc625e804922522c6b89d95f1dee7325f634d39f6f8eb71cd45af8b75f24152759ee59977cf026fa696d85d77161cd3db246915b2240e31c1f69a6b

Download Submit
memory/344-2-0x0000000000000000-mapping.dmp

Download
memory/988-14-0x0000000000000000-mapping.dmp

Download
memory/1660-7-0x0000000000000000-mapping.dmp

Download
memory/1660-9-0x000007FFFFFDB000-mapping.dmp

Download
memory/1660-10-0x0000000000470000-0x00000000004A5000-memory.dmp

Filesize
212KB

Download
memory/1660-11-0x0000000002030000-0x00000000020BF000-memory.dmp

Filesize
572KB

Download
memory/1692-8-0x0000000001F10000-0x0000000001F9F000-memory.dmp

Filesize
572KB

Download
memory/1692-5-0x0000000000000000-mapping.dmp

Download
memory/1708-15-0x0000000000000000-mapping.dmp

Download
memory/1720-13-0x0000000000000000-mapping.dmp

Download
memory/1796-0-0x0000000000000000-mapping.dmp

Download
memory/1816-12-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads