gozi_ifsb | ccecbbaf6bdd8b83cb5966dc1e8f6157aea6a22274166fb7c10f194ad28f4277

General

Target

gye1.cab.dll
Size

632KB
MD5

e78b3e5f216b0fc21a528a1a4de83a39
SHA1

91d536c3667177f95b1713b563d54a1437bf27d5
SHA256

4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
SHA512

b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb

Score

10^/10

gozi_ifsb banker persistence spyware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\esentcls = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ApirPQEC\\bitsaext.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

regsvr32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1136 set thread context of 1656	1136	regsvr32.exe	control.exe
PID 1656 set thread context of 1260	1656	control.exe	Explorer.EXE
PID 1656 set thread context of 940	1656	control.exe	rundll32.exe
PID 1260 set thread context of 544	1260	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeExplorer.EXE

pid process

1136 regsvr32.exe
1260 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

regsvr32.execontrol.exeExplorer.EXE

pid process

1136 regsvr32.exe
1656 control.exe
1656 control.exe
1260 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE

pid	process
1136	regsvr32.exe
1260	Explorer.EXE

pid	process
1260	Explorer.EXE

pid	process
1136	regsvr32.exe
1656	control.exe
1656	control.exe
1260	Explorer.EXE

pid	process
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

regsvr32.exeregsvr32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1136	1680	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1136 wrote to memory of 1656	1136	regsvr32.exe	control.exe
PID 1656 wrote to memory of 1260	1656	control.exe	Explorer.EXE
PID 1656 wrote to memory of 1260	1656	control.exe	Explorer.EXE
PID 1656 wrote to memory of 1260	1656	control.exe	Explorer.EXE
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1656 wrote to memory of 940	1656	control.exe	rundll32.exe
PID 1260 wrote to memory of 300	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 300	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 300	1260	Explorer.EXE	cmd.exe
PID 300 wrote to memory of 548	300	cmd.exe	nslookup.exe
PID 300 wrote to memory of 548	300	cmd.exe	nslookup.exe
PID 300 wrote to memory of 548	300	cmd.exe	nslookup.exe
PID 1260 wrote to memory of 1444	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 1444	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 1444	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe
PID 1260 wrote to memory of 544	1260	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:940

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D370.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:548

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D370.bi1"
2⤵
PID:1444

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D370.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D370.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ApirPQEC\bitsaext.dll
MD5
e78b3e5f216b0fc21a528a1a4de83a39

SHA1
91d536c3667177f95b1713b563d54a1437bf27d5

SHA256
4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c

SHA512
b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb

Download Submit
memory/300-13-0x0000000000000000-mapping.dmp

Download
memory/544-20-0x0000000000000000-mapping.dmp

Download
memory/544-18-0x0000000000000000-mapping.dmp

Download
memory/548-14-0x0000000000000000-mapping.dmp

Download
memory/940-10-0x0000000000000000-mapping.dmp

Download
memory/940-12-0x000007FFFFFD7000-mapping.dmp

Download
memory/1136-2-0x0000000000000000-mapping.dmp

Download
memory/1136-6-0x0000000002830000-0x00000000028E3000-memory.dmp

Filesize
716KB

Download
memory/1136-4-0x0000000000110000-0x000000000011D000-memory.dmp

Filesize
52KB

Download
memory/1136-3-0x0000000000140000-0x000000000018A000-memory.dmp

Filesize
296KB

Download
memory/1260-19-0x0000000006240000-0x00000000062E5000-memory.dmp

Filesize
660KB

Download
memory/1444-15-0x0000000000000000-mapping.dmp

Download
memory/1656-11-0x00000000025D0000-0x0000000002683000-memory.dmp

Filesize
716KB

Download
memory/1656-8-0x0000000001C40000-0x0000000001CF3000-memory.dmp

Filesize
716KB

Download
memory/1656-7-0x000007FFFFFD5000-mapping.dmp

Download
memory/1656-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads