gozi_ifsb | 4953b55d6b1a3c0c06178d8c005641b63c875d9aaa330fe430d049dd6617e70a

Analysis

max time kernel
118s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
11-12-2020 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
Size

373KB
MD5

a3701be6d0583d2f351a11cfac483623
SHA1

18b378083bdd67452a64bdb93c6a9a5a20770cc2
SHA256

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e
SHA512

22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Score

10^/10

gozi_ifsb banker persistence spyware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 2 IoCs

Processes:

audiprov.exeaudiprov.exe

pid process

1664 audiprov.exe
408 audiprov.exe
Deletes itself 1 IoCs

Processes:

audiprov.exe

pid process

408 audiprov.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeaudiprov.exe

pid process

1116 cmd.exe
1116 cmd.exe
1664 audiprov.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1664	audiprov.exe
408	audiprov.exe

pid	process
408	audiprov.exe

pid	process
1116	cmd.exe
1116	cmd.exe
1664	audiprov.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcrydPnp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cryputil\\audiprov.exe"	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exeaudiprov.exeaudiprov.exesvchost.exe

description	pid	process	target process
PID 2024 set thread context of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 1664 set thread context of 408	1664	audiprov.exe	audiprov.exe
PID 408 set thread context of 552	408	audiprov.exe	svchost.exe
PID 552 set thread context of 1268	552	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

audiprov.exeExplorer.EXE

pid process

408 audiprov.exe
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

audiprov.exesvchost.exe

pid process

408 audiprov.exe
552 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE

pid	process
408	audiprov.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
408	audiprov.exe
552	svchost.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.execmd.execmd.exeaudiprov.exeaudiprov.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 2024 wrote to memory of 1748	2024	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
PID 1748 wrote to memory of 1220	1748	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	cmd.exe
PID 1748 wrote to memory of 1220	1748	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	cmd.exe
PID 1748 wrote to memory of 1220	1748	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	cmd.exe
PID 1748 wrote to memory of 1220	1748	376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe	cmd.exe
PID 1220 wrote to memory of 1116	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1116	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1116	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1116	1220	cmd.exe	cmd.exe
PID 1116 wrote to memory of 1664	1116	cmd.exe	audiprov.exe
PID 1116 wrote to memory of 1664	1116	cmd.exe	audiprov.exe
PID 1116 wrote to memory of 1664	1116	cmd.exe	audiprov.exe
PID 1116 wrote to memory of 1664	1116	cmd.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 1664 wrote to memory of 408	1664	audiprov.exe	audiprov.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 408 wrote to memory of 552	408	audiprov.exe	svchost.exe
PID 552 wrote to memory of 1268	552	svchost.exe	Explorer.EXE
PID 552 wrote to memory of 1268	552	svchost.exe	Explorer.EXE
PID 552 wrote to memory of 1268	552	svchost.exe	Explorer.EXE
PID 1268 wrote to memory of 1096	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1096	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1096	1268	Explorer.EXE	cmd.exe
PID 1096 wrote to memory of 1328	1096	cmd.exe	nslookup.exe
PID 1096 wrote to memory of 1328	1096	cmd.exe	nslookup.exe
PID 1096 wrote to memory of 1328	1096	cmd.exe	nslookup.exe
PID 1268 wrote to memory of 1660	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1660	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1660	1268	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
"C:\Users\Admin\AppData\Local\Temp\376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe
"C:\Users\Admin\AppData\Local\Temp\376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B3F\21.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe" "C:\Users\Admin\AppData\Local\Temp\376ECE~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe" "C:\Users\Admin\AppData\Local\Temp\376ECE~1.EXE""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe" "C:\Users\Admin\AppData\Local\Temp\376ECE~1.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe" "C:\Users\Admin\AppData\Local\Temp\376ECE~1.EXE"
7⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6B20.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1328

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6B20.bi1"
2⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B20.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B20.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B3F\21.bat
MD5
3b5932a1f627a49431108ab13dd56faf

SHA1
660160b1016e4f819e7b8e2ff65698929a3848a7

SHA256
e0099b38f946be5aa5379661b9e162f0abd16bcce776374981ec70116d09f59c

SHA512
02d00c988abc595eed0edebb3b8e6af268999316487677b011a4ba23b706eb945394d8ae09ef6cb8a0a5b5690b81f95af44b9bcc7a5d8763afb95550e04e48ab

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Cryputil\audiprov.exe
MD5
a3701be6d0583d2f351a11cfac483623

SHA1
18b378083bdd67452a64bdb93c6a9a5a20770cc2

SHA256
376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e

SHA512
22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24

Download Submit
memory/408-17-0x0000000000401000-mapping.dmp

Download
memory/408-21-0x0000000001CA0000-0x0000000001D32000-memory.dmp

Filesize
584KB

Download
memory/552-20-0x0000000000000000-mapping.dmp

Download
memory/552-24-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/552-23-0x00000000000D0000-0x0000000000106000-memory.dmp

Filesize
216KB

Download
memory/552-22-0x000007FFFFFD5000-mapping.dmp

Download
memory/1096-473-0x0000000000000000-mapping.dmp

Download
memory/1116-8-0x0000000000000000-mapping.dmp

Download
memory/1220-6-0x0000000000000000-mapping.dmp

Download
memory/1268-251-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/1268-25-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/1268-26-0x0000000008290000-0x00000000082A1000-memory.dmp

Filesize
68KB

Download
memory/1268-27-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/1328-474-0x0000000000000000-mapping.dmp

Download
memory/1660-475-0x0000000000000000-mapping.dmp

Download
memory/1664-14-0x000000000062F000-0x0000000000630000-memory.dmp

Filesize
4KB

Download
memory/1664-12-0x0000000000000000-mapping.dmp

Download
memory/1748-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-4-0x0000000000401000-mapping.dmp

Download
memory/1748-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-2-0x000000000030F000-0x0000000000310000-memory.dmp

Filesize
4KB

Download