gozi_ifsb | d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

General

Target

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe
Size

327KB
MD5

2e2ed2b2bc917a92eb0d9bdb466da3b9
SHA1

f361d57f199c8a75c8e92b5ff0385e978cda0e53
SHA256

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702
SHA512

7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

bcryider.exe

pid process

1980 bcryider.exe
Deletes itself 1 IoCs

Processes:

bcryider.exe

pid process

1980 bcryider.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1980	bcryider.exe

pid	process
1980	bcryider.exe

pid	process
1996	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\capiript = "C:\\Users\\Admin\\AppData\\Roaming\\Devidisc\\bcryider.exe"	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bcryider.exesvchost.exe

description	pid	process	target process
PID 1980 set thread context of 604	1980	bcryider.exe	svchost.exe
PID 604 set thread context of 1276	604	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bcryider.exeExplorer.EXE

pid process

1980 bcryider.exe
1276 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bcryider.exesvchost.exe

pid process

1980 bcryider.exe
604 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1980	bcryider.exe
1276	Explorer.EXE

pid	process
1980	bcryider.exe
604	svchost.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.execmd.execmd.exebcryider.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 1428	1848	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1848 wrote to memory of 1428	1848	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1848 wrote to memory of 1428	1848	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1848 wrote to memory of 1428	1848	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1428 wrote to memory of 1996	1428	cmd.exe	cmd.exe
PID 1428 wrote to memory of 1996	1428	cmd.exe	cmd.exe
PID 1428 wrote to memory of 1996	1428	cmd.exe	cmd.exe
PID 1428 wrote to memory of 1996	1428	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1980	1996	cmd.exe	bcryider.exe
PID 1996 wrote to memory of 1980	1996	cmd.exe	bcryider.exe
PID 1996 wrote to memory of 1980	1996	cmd.exe	bcryider.exe
PID 1996 wrote to memory of 1980	1996	cmd.exe	bcryider.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 1980 wrote to memory of 604	1980	bcryider.exe	svchost.exe
PID 604 wrote to memory of 1276	604	svchost.exe	Explorer.EXE
PID 604 wrote to memory of 1276	604	svchost.exe	Explorer.EXE
PID 604 wrote to memory of 1276	604	svchost.exe	Explorer.EXE
PID 1276 wrote to memory of 660	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 660	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 660	1276	Explorer.EXE	cmd.exe
PID 660 wrote to memory of 1916	660	cmd.exe	nslookup.exe
PID 660 wrote to memory of 1916	660	cmd.exe	nslookup.exe
PID 660 wrote to memory of 1916	660	cmd.exe	nslookup.exe
PID 1276 wrote to memory of 1076	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1076	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1076	1276	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe
  "C:\Users\Admin\AppData\Local\Temp\d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\2472\1239.bat" "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe
        
        "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:604
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B52E.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B52E.bi1"
  2⤵
  PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2472\1239.bat

MD5
9b1bd114aff92414683f6e7197aadc34

SHA1
321d20055bf5661156ae5a9f301a8209004eabfb

SHA256
d9455f4a34a110acd243d8b806752049980c5629fe44a779d1b7529c587f76ba

SHA512
cdfe277913ece2f3adac282e462bb4a327f615ffb94d1f56c411f5844ccfef8ee6c878068db899e27857f56fed3800c1bcd97035e5f14b87d73b67b8152d79fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52E.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52E.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
2e2ed2b2bc917a92eb0d9bdb466da3b9

SHA1
f361d57f199c8a75c8e92b5ff0385e978cda0e53

SHA256
d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

SHA512
7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
2e2ed2b2bc917a92eb0d9bdb466da3b9

SHA1
f361d57f199c8a75c8e92b5ff0385e978cda0e53

SHA256
d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

SHA512
7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Download Submit
\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
2e2ed2b2bc917a92eb0d9bdb466da3b9

SHA1
f361d57f199c8a75c8e92b5ff0385e978cda0e53

SHA256
d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

SHA512
7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Download Submit
memory/604-7-0x0000000000000000-mapping.dmp

Download
memory/604-9-0x000007FFFFFDD000-mapping.dmp

Download
memory/604-10-0x00000000003F0000-0x0000000000425000-memory.dmp

Filesize
212KB

Download
memory/604-11-0x0000000001FD0000-0x000000000205F000-memory.dmp

Filesize
572KB

Download
memory/660-13-0x0000000000000000-mapping.dmp

Download
memory/1076-15-0x0000000000000000-mapping.dmp

Download
memory/1428-0-0x0000000000000000-mapping.dmp

Download
memory/1532-12-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1916-14-0x0000000000000000-mapping.dmp

Download
memory/1980-8-0x0000000000480000-0x000000000050F000-memory.dmp

Filesize
572KB

Download
memory/1980-5-0x0000000000000000-mapping.dmp

Download
memory/1996-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads