gozi_ifsb | fb6856b2e1967b9bebf8deb3f3ea2994cf437e6184d9dc99ee53c92c531d0e27

Target

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
Size

539KB
MD5

10fda777cc56f004e90a4037e1e2cdcc
SHA1

2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9
SHA256

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028
SHA512

9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Score

10^/10

gozi_ifsb ursnif banker persistence trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Executes dropped EXE 1 IoCs

pid	Process
2016	chsbmifs.exe

Deletes itself 1 IoCs

pid	Process
2016	chsbmifs.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\getumf32 = "C:\\Users\\Admin\\AppData\\Roaming\\apssclnt\\chsbmifs.exe"	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 408	2016	chsbmifs.exe	33
PID 408 set thread context of 1268	408	svchost.exe	11

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	chsbmifs.exe
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2016	chsbmifs.exe
408	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	29
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	29
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	29
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	29
PID 1664 wrote to memory of 2004	1664	cmd.exe	31
PID 1664 wrote to memory of 2004	1664	cmd.exe	31
PID 1664 wrote to memory of 2004	1664	cmd.exe	31
PID 1664 wrote to memory of 2004	1664	cmd.exe	31
PID 2004 wrote to memory of 2016	2004	cmd.exe	32
PID 2004 wrote to memory of 2016	2004	cmd.exe	32
PID 2004 wrote to memory of 2016	2004	cmd.exe	32
PID 2004 wrote to memory of 2016	2004	cmd.exe	32
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	33
PID 408 wrote to memory of 1268	408	svchost.exe	11
PID 408 wrote to memory of 1268	408	svchost.exe	11
PID 408 wrote to memory of 1268	408	svchost.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268
- C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
  "C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\F50A\FA85.bat" "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
        
        "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-12-0x00000000003D0000-0x000000000040D000-memory.dmp

Filesize
244KB

Download
memory/408-13-0x00000000023C0000-0x0000000002465000-memory.dmp

Filesize
660KB

Download
memory/2016-10-0x00000000004A0000-0x0000000000545000-memory.dmp

Filesize
660KB

Download