gozi_ifsb | d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

General

Target

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe
Size

327KB
MD5

2e2ed2b2bc917a92eb0d9bdb466da3b9
SHA1

f361d57f199c8a75c8e92b5ff0385e978cda0e53
SHA256

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702
SHA512

7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

Callmuid.exe

pid process

492 Callmuid.exe
Deletes itself 1 IoCs

Processes:

Callmuid.exe

pid process

492 Callmuid.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
492	Callmuid.exe

pid	process
492	Callmuid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\acmiager = "C:\\Users\\Admin\\AppData\\Roaming\\Certmcat\\Callmuid.exe"	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Callmuid.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 492 set thread context of 3652	492	Callmuid.exe	svchost.exe
PID 3652 set thread context of 3044	3652	svchost.exe	Explorer.EXE
PID 3044 set thread context of 3592	3044	Explorer.EXE	RuntimeBroker.exe
PID 3044 set thread context of 3096	3044	Explorer.EXE	WinMail.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Callmuid.exeExplorer.EXE

pid process

492 Callmuid.exe
492 Callmuid.exe
3044 Explorer.EXE
3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Callmuid.exesvchost.exeExplorer.EXE

pid process

492 Callmuid.exe
3652 svchost.exe
3044 Explorer.EXE
3044 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 3044 Explorer.EXE
Token: SeCreatePagefilePrivilege 3044 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE

pid	process
492	Callmuid.exe
492	Callmuid.exe
3044	Explorer.EXE
3044	Explorer.EXE

pid	process
492	Callmuid.exe
3652	svchost.exe
3044	Explorer.EXE
3044	Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE

pid	process
3044	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.execmd.execmd.exeCallmuid.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1140 wrote to memory of 996	1140	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1140 wrote to memory of 996	1140	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 1140 wrote to memory of 996	1140	d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe	cmd.exe
PID 996 wrote to memory of 208	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 208	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 208	996	cmd.exe	cmd.exe
PID 208 wrote to memory of 492	208	cmd.exe	Callmuid.exe
PID 208 wrote to memory of 492	208	cmd.exe	Callmuid.exe
PID 208 wrote to memory of 492	208	cmd.exe	Callmuid.exe
PID 492 wrote to memory of 3652	492	Callmuid.exe	svchost.exe
PID 492 wrote to memory of 3652	492	Callmuid.exe	svchost.exe
PID 492 wrote to memory of 3652	492	Callmuid.exe	svchost.exe
PID 492 wrote to memory of 3652	492	Callmuid.exe	svchost.exe
PID 492 wrote to memory of 3652	492	Callmuid.exe	svchost.exe
PID 3652 wrote to memory of 3044	3652	svchost.exe	Explorer.EXE
PID 3652 wrote to memory of 3044	3652	svchost.exe	Explorer.EXE
PID 3652 wrote to memory of 3044	3652	svchost.exe	Explorer.EXE
PID 3044 wrote to memory of 3592	3044	Explorer.EXE	RuntimeBroker.exe
PID 3044 wrote to memory of 3592	3044	Explorer.EXE	RuntimeBroker.exe
PID 3044 wrote to memory of 3592	3044	Explorer.EXE	RuntimeBroker.exe
PID 3044 wrote to memory of 3772	3044	Explorer.EXE	cmd.exe
PID 3044 wrote to memory of 3772	3044	Explorer.EXE	cmd.exe
PID 3772 wrote to memory of 2096	3772	cmd.exe	nslookup.exe
PID 3772 wrote to memory of 2096	3772	cmd.exe	nslookup.exe
PID 3044 wrote to memory of 2444	3044	Explorer.EXE	cmd.exe
PID 3044 wrote to memory of 2444	3044	Explorer.EXE	cmd.exe
PID 3044 wrote to memory of 3096	3044	Explorer.EXE	WinMail.exe
PID 3044 wrote to memory of 3096	3044	Explorer.EXE	WinMail.exe
PID 3044 wrote to memory of 3096	3044	Explorer.EXE	WinMail.exe
PID 3044 wrote to memory of 3096	3044	Explorer.EXE	WinMail.exe
PID 3044 wrote to memory of 3096	3044	Explorer.EXE	WinMail.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe
"C:\Users\Admin\AppData\Local\Temp\d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97A8\37.bat" "C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe
"C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe" "C:\Users\Admin\AppData\Local\Temp\D0C6A4~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EE3A.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:2096

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EE3A.bi1"
2⤵
PID:2444

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3096

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97A8\37.bat
MD5
c9453518c87e4c0f7fbb81b43d9a2e40

SHA1
644e2f520293f3221a41e5dcf69be12db00405d9

SHA256
ad9a2db1634d4ed5062b18ab65e9dd2d0ad1a9834a8844949088dd0606e28508

SHA512
695c1cb16b45074625bb12fa4c1bd13b07d49634e863a845c8ecfbb340a3060a6e70a7bbb088270f5a7426f1d848c5cf79227ec1268352af02f47fa13ad6c440

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE3A.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE3A.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe
MD5
2e2ed2b2bc917a92eb0d9bdb466da3b9

SHA1
f361d57f199c8a75c8e92b5ff0385e978cda0e53

SHA256
d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

SHA512
7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Download Submit
C:\Users\Admin\AppData\Roaming\Certmcat\Callmuid.exe
MD5
2e2ed2b2bc917a92eb0d9bdb466da3b9

SHA1
f361d57f199c8a75c8e92b5ff0385e978cda0e53

SHA256
d0c6a4b3d920ff9efb4150c7b59de59497baf32f6c92ffd570a5406633665702

SHA512
7011c2fea9a87c19b86ce4fff579a7e73796ea9fc4474880ef0f84801f86a37b385b54cb271dc486f38ff3fd6f1727d0ac640e7155f1fa297b80e61e360fa844

Download Submit
memory/208-2-0x0000000000000000-mapping.dmp

Download
memory/492-7-0x00000000007C0000-0x000000000084F000-memory.dmp

Filesize
572KB

Download
memory/492-3-0x0000000000000000-mapping.dmp

Download
memory/996-0-0x0000000000000000-mapping.dmp

Download
memory/2096-13-0x0000000000000000-mapping.dmp

Download
memory/2444-14-0x0000000000000000-mapping.dmp

Download
memory/3044-18-0x0000000005D50000-0x0000000005DDF000-memory.dmp

Filesize
572KB

Download
memory/3044-11-0x0000000005D50000-0x0000000005DDF000-memory.dmp

Filesize
572KB

Download
memory/3096-17-0x0000000000000000-mapping.dmp

Download
memory/3096-19-0x000000E445DBA000-mapping.dmp

Download
memory/3096-20-0x000002E0BD040000-0x000002E0BD075000-memory.dmp

Filesize
212KB

Download
memory/3652-10-0x00000296FA460000-0x00000296FA4EF000-memory.dmp

Filesize
572KB

Download
memory/3652-9-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/3652-8-0x000000CA9E908000-mapping.dmp

Download
memory/3652-6-0x0000000000000000-mapping.dmp

Download
memory/3772-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads