gozi_ifsb | 9f82497e7c205ee0d312af9eb90340cad637e89240b25addb5a25b290dd3f8c9

General

Target

cf49fa463bfe3404408c88335565bde7.exe
Size

933KB
MD5

cf49fa463bfe3404408c88335565bde7
SHA1

14f00190487fa5b351c5ed396b90228138ce01b4
SHA256

9f82497e7c205ee0d312af9eb90340cad637e89240b25addb5a25b290dd3f8c9
SHA512

cea82e4aa3f198977a9f9d63b25d584e42af906a7dc19d05abd6953938ef9fff79101b5e87834f35866f14c2c674f67dc2ddde28f142e6b3224e050cc51000e3

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

chsbmifs.exe

pid process

764 chsbmifs.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe

pid	process
764	chsbmifs.exe

pid	process
432	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf49fa463bfe3404408c88335565bde7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\getumf32 = "C:\\Users\\Admin\\AppData\\Roaming\\apssclnt\\chsbmifs.exe"	cf49fa463bfe3404408c88335565bde7.exe

Modifies registry class 30 IoCs

Processes:

cf49fa463bfe3404408c88335565bde7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\FLAGS\ = "0"	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\TypeLib	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\Version	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\ = "Ibiteref"	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\InprocServer32\ = "%SystemRoot%\\SysWow64\\activeds.dll"	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\ProgID\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\0\win32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll"	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\InprocServer32\	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\0\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\HELPDIR\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll"	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\Version\ = "1.0"	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\0	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\HELPDIR	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\Version\	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\0\win32	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\TypeLib\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\TypeLib\ = "{09A0CA25-028B-4811-7562-60C971F1924B}"	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\InprocServer32	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\ProgID\ = "ADs"	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\FLAGS\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\0\win32\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\ = "Microsoft DAO 3.6 Object Library"	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\FLAGS	cf49fa463bfe3404408c88335565bde7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}\5.0\HELPDIR\	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55030FD-9CA9-4666-C391-C886ECF9DD55}\ProgID	cf49fa463bfe3404408c88335565bde7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09A0CA25-028B-4811-7562-60C971F1924B}	cf49fa463bfe3404408c88335565bde7.exe

NTFS ADS 2 IoCs

Processes:

cf49fa463bfe3404408c88335565bde7.exechsbmifs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\COMP::	cf49fa463bfe3404408c88335565bde7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\COMP::	chsbmifs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cf49fa463bfe3404408c88335565bde7.execmd.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 1716	1824	cf49fa463bfe3404408c88335565bde7.exe	cmd.exe
PID 1824 wrote to memory of 1716	1824	cf49fa463bfe3404408c88335565bde7.exe	cmd.exe
PID 1824 wrote to memory of 1716	1824	cf49fa463bfe3404408c88335565bde7.exe	cmd.exe
PID 1824 wrote to memory of 1716	1824	cf49fa463bfe3404408c88335565bde7.exe	cmd.exe
PID 1716 wrote to memory of 1080	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1080	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1080	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1080	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	cmd.exe	cmd.exe
PID 432 wrote to memory of 764	432	cmd.exe	chsbmifs.exe
PID 432 wrote to memory of 764	432	cmd.exe	chsbmifs.exe
PID 432 wrote to memory of 764	432	cmd.exe	chsbmifs.exe
PID 432 wrote to memory of 764	432	cmd.exe	chsbmifs.exe

C:\Users\Admin\AppData\Local\Temp\cf49fa463bfe3404408c88335565bde7.exe
"C:\Users\Admin\AppData\Local\Temp\cf49fa463bfe3404408c88335565bde7.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B01E\580F.bat" "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\CF49FA~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\CF49FA~1.EXE""
3⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\CF49FA~1.EXE""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
"C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\CF49FA~1.EXE"
4⤵
- Executes dropped EXE
- NTFS ADS
PID:764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B01E\580F.bat
MD5
1536f621491b421b30da20f5895ab255

SHA1
03a73ecf0123d1cd12d152f2c20f3cbf1658cac1

SHA256
4507a760a731e7e8c31a063fe3bd235788a093524f94dcfc25c6e65f529d7b19

SHA512
9d175b9140ee503dd206d0b90f1045c42dd13a4b304e0d109ad95e53a969bbcc88fed39d23348b50440e062871ae2c0e7242def698102dd12ecd433df88022e4

Download Submit
C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
cf49fa463bfe3404408c88335565bde7

SHA1
14f00190487fa5b351c5ed396b90228138ce01b4

SHA256
9f82497e7c205ee0d312af9eb90340cad637e89240b25addb5a25b290dd3f8c9

SHA512
cea82e4aa3f198977a9f9d63b25d584e42af906a7dc19d05abd6953938ef9fff79101b5e87834f35866f14c2c674f67dc2ddde28f142e6b3224e050cc51000e3

Download Submit
C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
cf49fa463bfe3404408c88335565bde7

SHA1
14f00190487fa5b351c5ed396b90228138ce01b4

SHA256
9f82497e7c205ee0d312af9eb90340cad637e89240b25addb5a25b290dd3f8c9

SHA512
cea82e4aa3f198977a9f9d63b25d584e42af906a7dc19d05abd6953938ef9fff79101b5e87834f35866f14c2c674f67dc2ddde28f142e6b3224e050cc51000e3

Download Submit
\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
cf49fa463bfe3404408c88335565bde7

SHA1
14f00190487fa5b351c5ed396b90228138ce01b4

SHA256
9f82497e7c205ee0d312af9eb90340cad637e89240b25addb5a25b290dd3f8c9

SHA512
cea82e4aa3f198977a9f9d63b25d584e42af906a7dc19d05abd6953938ef9fff79101b5e87834f35866f14c2c674f67dc2ddde28f142e6b3224e050cc51000e3

Download Submit
memory/432-5-0x0000000000000000-mapping.dmp

Download
memory/764-8-0x0000000000000000-mapping.dmp

Download
memory/1080-4-0x0000000000000000-mapping.dmp

Download
memory/1716-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads