gozi_ifsb | 522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

General

Target

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe
Size

365KB
MD5

1ec1a06e9206527fa74c5560f1fa71b7
SHA1

808955643df13e421c270e377c819cde4dd2c845
SHA256

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2
SHA512

f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

atltartv.exe

pid process

1456 atltartv.exe
Deletes itself 1 IoCs

Processes:

atltartv.exe

pid process

1456 atltartv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1456	atltartv.exe

pid	process
1456	atltartv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\appmgSup = "C:\\Users\\Admin\\AppData\\Roaming\\amstcca\\atltartv.exe"	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

atltartv.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 1456 set thread context of 4092	1456	atltartv.exe	svchost.exe
PID 4092 set thread context of 3040	4092	svchost.exe	Explorer.EXE
PID 3040 set thread context of 3500	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 set thread context of 2708	3040	Explorer.EXE	WinMail.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

atltartv.exeExplorer.EXE

pid process

1456 atltartv.exe
1456 atltartv.exe
3040 Explorer.EXE
3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

atltartv.exesvchost.exeExplorer.EXE

pid process

1456 atltartv.exe
4092 svchost.exe
3040 Explorer.EXE
3040 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE

pid	process
1456	atltartv.exe
1456	atltartv.exe
3040	Explorer.EXE
3040	Explorer.EXE

pid	process
1456	atltartv.exe
4092	svchost.exe
3040	Explorer.EXE
3040	Explorer.EXE

pid	process
3040	Explorer.EXE

pid	process
3040	Explorer.EXE

pid	process
3040	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.execmd.execmd.exeatltartv.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 2932	1048	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 1048 wrote to memory of 2932	1048	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 1048 wrote to memory of 2932	1048	522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe	cmd.exe
PID 2932 wrote to memory of 204	2932	cmd.exe	cmd.exe
PID 2932 wrote to memory of 204	2932	cmd.exe	cmd.exe
PID 2932 wrote to memory of 204	2932	cmd.exe	cmd.exe
PID 204 wrote to memory of 1456	204	cmd.exe	atltartv.exe
PID 204 wrote to memory of 1456	204	cmd.exe	atltartv.exe
PID 204 wrote to memory of 1456	204	cmd.exe	atltartv.exe
PID 1456 wrote to memory of 4092	1456	atltartv.exe	svchost.exe
PID 1456 wrote to memory of 4092	1456	atltartv.exe	svchost.exe
PID 1456 wrote to memory of 4092	1456	atltartv.exe	svchost.exe
PID 1456 wrote to memory of 4092	1456	atltartv.exe	svchost.exe
PID 1456 wrote to memory of 4092	1456	atltartv.exe	svchost.exe
PID 4092 wrote to memory of 3040	4092	svchost.exe	Explorer.EXE
PID 4092 wrote to memory of 3040	4092	svchost.exe	Explorer.EXE
PID 4092 wrote to memory of 3040	4092	svchost.exe	Explorer.EXE
PID 3040 wrote to memory of 3500	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3500	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3500	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 816	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 816	3040	Explorer.EXE	cmd.exe
PID 816 wrote to memory of 3960	816	cmd.exe	nslookup.exe
PID 816 wrote to memory of 3960	816	cmd.exe	nslookup.exe
PID 3040 wrote to memory of 3992	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 3992	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 2708	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 2708	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 2708	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 2708	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 2708	3040	Explorer.EXE	WinMail.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe
  "C:\Users\Admin\AppData\Local\Temp\522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A45A\522D.bat" "C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:204
    - - C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe
        
        "C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe" "C:\Users\Admin\AppData\Local\Temp\522B12~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4092
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3E5.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3960
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3E5.bi1"
  2⤵
  PID:3992
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:2708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3E5.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E5.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\A45A\522D.bat

MD5
7997e76073126b808d31e0e61e6b9b3b

SHA1
0944c039c0440740f3be72e66f4d21d93b26a483

SHA256
ecec2b47a3ddb2e506e47c9f2403ae4dde5b6eff5f700f8f0ceff9902ed6bb7d

SHA512
5a850278e35d9d32611487bf3750ab1910090528188315a454346e26ad4a5f5aacb494d9c316dbdc06acae6d85c7ea32adedc832a0a8c560b19c5f0f47f7a1d0

Download Submit
C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe

MD5
1ec1a06e9206527fa74c5560f1fa71b7

SHA1
808955643df13e421c270e377c819cde4dd2c845

SHA256
522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

SHA512
f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Download Submit
C:\Users\Admin\AppData\Roaming\amstcca\atltartv.exe

MD5
1ec1a06e9206527fa74c5560f1fa71b7

SHA1
808955643df13e421c270e377c819cde4dd2c845

SHA256
522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

SHA512
f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Download Submit
memory/204-2-0x0000000000000000-mapping.dmp

Download
memory/816-12-0x0000000000000000-mapping.dmp

Download
memory/1456-3-0x0000000000000000-mapping.dmp

Download
memory/1456-7-0x0000000002AE0000-0x0000000002B6F000-memory.dmp

Filesize
572KB

Download
memory/2708-20-0x00000224D30B0000-0x00000224D30E5000-memory.dmp

Filesize
212KB

Download
memory/2708-19-0x00000083A65C0000-mapping.dmp

Download
memory/2708-17-0x0000000000000000-mapping.dmp

Download
memory/2932-0-0x0000000000000000-mapping.dmp

Download
memory/3040-18-0x0000000006720000-0x00000000067AF000-memory.dmp

Filesize
572KB

Download
memory/3040-11-0x0000000006720000-0x00000000067AF000-memory.dmp

Filesize
572KB

Download
memory/3960-13-0x0000000000000000-mapping.dmp

Download
memory/3992-14-0x0000000000000000-mapping.dmp

Download
memory/4092-10-0x000001FC5ED80000-0x000001FC5EE0F000-memory.dmp

Filesize
572KB

Download
memory/4092-9-0x0000000000C10000-0x0000000000C45000-memory.dmp

Filesize
212KB

Download
memory/4092-8-0x000000FBF2CD1000-mapping.dmp

Download
memory/4092-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads