gozi_ifsb | 522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

General

Target

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe
Size

365KB
MD5

1ec1a06e9206527fa74c5560f1fa71b7
SHA1

808955643df13e421c270e377c819cde4dd2c845
SHA256

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2
SHA512

f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

bcryider.exe

pid process

1116 bcryider.exe
Deletes itself 1 IoCs

Processes:

bcryider.exe

pid process

1116 bcryider.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1640 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1116	bcryider.exe

pid	process
1116	bcryider.exe

pid	process
1640	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\capiript = "C:\\Users\\Admin\\AppData\\Roaming\\Devidisc\\bcryider.exe"	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bcryider.exesvchost.exe

description	pid	process	target process
PID 1116 set thread context of 1088	1116	bcryider.exe	svchost.exe
PID 1088 set thread context of 1268	1088	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bcryider.exeExplorer.EXE

pid process

1116 bcryider.exe
1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bcryider.exesvchost.exe

pid process

1116 bcryider.exe
1088 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1116	bcryider.exe
1268	Explorer.EXE

pid	process
1116	bcryider.exe
1088	svchost.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.execmd.execmd.exebcryider.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 748	2028	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 2028 wrote to memory of 748	2028	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 2028 wrote to memory of 748	2028	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 2028 wrote to memory of 748	2028	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 748 wrote to memory of 1640	748	cmd.exe	cmd.exe
PID 748 wrote to memory of 1640	748	cmd.exe	cmd.exe
PID 748 wrote to memory of 1640	748	cmd.exe	cmd.exe
PID 748 wrote to memory of 1640	748	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1116	1640	cmd.exe	bcryider.exe
PID 1640 wrote to memory of 1116	1640	cmd.exe	bcryider.exe
PID 1640 wrote to memory of 1116	1640	cmd.exe	bcryider.exe
PID 1640 wrote to memory of 1116	1640	cmd.exe	bcryider.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1116 wrote to memory of 1088	1116	bcryider.exe	svchost.exe
PID 1088 wrote to memory of 1268	1088	svchost.exe	Explorer.EXE
PID 1088 wrote to memory of 1268	1088	svchost.exe	Explorer.EXE
PID 1088 wrote to memory of 1268	1088	svchost.exe	Explorer.EXE
PID 1268 wrote to memory of 696	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 696	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 696	1268	Explorer.EXE	cmd.exe
PID 696 wrote to memory of 272	696	cmd.exe	nslookup.exe
PID 696 wrote to memory of 272	696	cmd.exe	nslookup.exe
PID 696 wrote to memory of 272	696	cmd.exe	nslookup.exe
PID 1268 wrote to memory of 1644	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1644	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1644	1268	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe
  "C:\Users\Admin\AppData\Local\Temp\522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\4442\2221.bat" "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe
        
        "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1088
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\CC08.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:272
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\CC08.bi1"
  2⤵
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4442\2221.bat

MD5
d257030180eb5ae26444ef279d2ce3f7

SHA1
886ef8cc6ded79fc1918a6c32f0280a6c44c215b

SHA256
e74cfd27c28bda2695c0fd912a8a76a6773cd57d4878c23e8b4b88a87d0a1d21

SHA512
3a159c25584e2b15db17c895514f93032cb99460eb8e1910884c2485b45e465fffc42126a0f1024d286ccd1d6f894aab852de4d7bebfc2f4950f90bcdbee1f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC08.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC08.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
1ec1a06e9206527fa74c5560f1fa71b7

SHA1
808955643df13e421c270e377c819cde4dd2c845

SHA256
522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

SHA512
f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Download Submit
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
1ec1a06e9206527fa74c5560f1fa71b7

SHA1
808955643df13e421c270e377c819cde4dd2c845

SHA256
522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

SHA512
f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Download Submit
\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe

MD5
1ec1a06e9206527fa74c5560f1fa71b7

SHA1
808955643df13e421c270e377c819cde4dd2c845

SHA256
522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

SHA512
f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Download Submit
memory/272-14-0x0000000000000000-mapping.dmp

Download
memory/696-13-0x0000000000000000-mapping.dmp

Download
memory/748-0-0x0000000000000000-mapping.dmp

Download
memory/1076-12-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1088-9-0x000007FFFFFD8000-mapping.dmp

Download
memory/1088-11-0x0000000000410000-0x000000000049F000-memory.dmp

Filesize
572KB

Download
memory/1088-10-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/1088-7-0x0000000000000000-mapping.dmp

Download
memory/1116-8-0x0000000001DF0000-0x0000000001E7F000-memory.dmp

Filesize
572KB

Download
memory/1116-5-0x0000000000000000-mapping.dmp

Download
memory/1640-2-0x0000000000000000-mapping.dmp

Download
memory/1644-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads