gozi_ifsb | 00af5f13551c5e20fe29ec3d12dca555a56cd1edcd0a8633373872334de485ae

General

Target

p1cture3.dll
Size

133KB
MD5

363430ba47c7d69f75e9bc90dbbc1d8c
SHA1

47fe41dd67e0245c1ece8fcd2c10c713823db833
SHA256

00af5f13551c5e20fe29ec3d12dca555a56cd1edcd0a8633373872334de485ae
SHA512

4e081eb20aaaa487e9047f29b12b508d62fd77517652088d86e310d7d55492ecc4fb2033778cc0e9ce863ae00f7a36aeefa52a24e1e520897b53f8206abca785

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 81 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00885c1440d5d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{657101F1-4133-11EB-8030-C611B4A1F110} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23A7E1D1-4133-11EB-8030-C611B4A1F110} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000002e7a5c697790c2ca4ff7ecc5e2d53aabd440b7406239c3223bdb8ba90f52400c000000000e8000000002000020000000d515526b095f16b3ef0d63aec290988b11766c5ae8a5302d4d475b2c470a6eb220000000032c73596091a92637a01d1e5cb62609f46f14880faee0ba35cf7b5fb84baf20400000002e4f5908f38b8cb64c43e47f1759ff9c33ff86962742a5e465ac43f19ef04b84379565ac15db5db4a7cd9eb2ba9736adae0b59b41f92ac0ff76dd3516c4b79f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1557 IoCs

Processes:

regsvr32.exe

pid	process
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe

Suspicious use of SendNotifyMessage 1554 IoCs

Processes:

regsvr32.exe

pid	process
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1388	iexplore.exe
1388	iexplore.exe
1076	IEXPLORE.EXE
1076	IEXPLORE.EXE
576	iexplore.exe
576	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
1784	iexplore.exe
1784	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1508	836	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 1076	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 1076	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 1076	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 1076	1388	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 548	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 548	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 548	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 548	576	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 964	1784	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 964	1784	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 964	1784	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 964	1784	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\p1cture3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\p1cture3.dll
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4E06HC75.txt
MD5
3e3119dbd57cf0abbcef13b3cf1b42cc

SHA1
79e5bf6508447d2219baef39de56b3daca8f2d1a

SHA256
0aac56538dc9959aab1f21ade784d764dd601824a1740ce4ec2012b979880c19

SHA512
2ae515c17b03d524ddb74f954d13a21ef18e8e69f41bdb8f1fd240e4bdc4263138a6aac3c7bd9d30988a7b7a863711e12b2a38c6ceee58fb09117271823328ce

Download Submit
memory/412-3-0x000007FEF7C70000-0x000007FEF7EEA000-memory.dmp

Filesize
2.5MB

Download
memory/548-5-0x0000000000000000-mapping.dmp

Download
memory/964-6-0x0000000000000000-mapping.dmp

Download
memory/1076-4-0x0000000000000000-mapping.dmp

Download
memory/1508-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads