gozi_ifsb | fb6856b2e1967b9bebf8deb3f3ea2994cf437e6184d9dc99ee53c92c531d0e27

General

Target

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
Size

539KB
MD5

10fda777cc56f004e90a4037e1e2cdcc
SHA1

2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9
SHA256

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028
SHA512

9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Score

10^/10

gozi_ifsb ursnif banker persistence trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Executes dropped EXE 1 IoCs

Processes:

chsbmifs.exe

pid process

2016 chsbmifs.exe
Deletes itself 1 IoCs

Processes:

chsbmifs.exe

pid process

2016 chsbmifs.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2004 cmd.exe

pid	process
2016	chsbmifs.exe

pid	process
2016	chsbmifs.exe

pid	process
2004	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\getumf32 = "C:\\Users\\Admin\\AppData\\Roaming\\apssclnt\\chsbmifs.exe"	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

chsbmifs.exesvchost.exe

description	pid	process	target process
PID 2016 set thread context of 408	2016	chsbmifs.exe	svchost.exe
PID 408 set thread context of 1268	408	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chsbmifs.exeExplorer.EXE

pid process

2016 chsbmifs.exe
1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

chsbmifs.exesvchost.exe

pid process

2016 chsbmifs.exe
408 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE

pid	process
2016	chsbmifs.exe
1268	Explorer.EXE

pid	process
2016	chsbmifs.exe
408	svchost.exe

pid	process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.execmd.execmd.exechsbmifs.exesvchost.exe

description	pid	process	target process
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 2024 wrote to memory of 1664	2024	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	cmd.exe	cmd.exe
PID 2004 wrote to memory of 2016	2004	cmd.exe	chsbmifs.exe
PID 2004 wrote to memory of 2016	2004	cmd.exe	chsbmifs.exe
PID 2004 wrote to memory of 2016	2004	cmd.exe	chsbmifs.exe
PID 2004 wrote to memory of 2016	2004	cmd.exe	chsbmifs.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 2016 wrote to memory of 408	2016	chsbmifs.exe	svchost.exe
PID 408 wrote to memory of 1268	408	svchost.exe	Explorer.EXE
PID 408 wrote to memory of 1268	408	svchost.exe	Explorer.EXE
PID 408 wrote to memory of 1268	408	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
"C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F50A\FA85.bat" "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
"C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:408

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F50A\FA85.bat
MD5
0647e44683b1004764a64a37eff67e17

SHA1
1953540bcaaaf0613e71cd21c0c9a60e50be704a

SHA256
4905ee5cb09d7955e9be1d0a9e711c5fff17704451a0e41fa80ec7ed8f564e88

SHA512
e77ee6cca97e1f991a8665755e28468d6b6d76667a0be9eed64c1ac72abde9e6e2453e6d97582e5e814f6fdce3e10c52b5d5643b17b3c234690b0f6be6ae7e00

Download Submit
C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
memory/408-9-0x0000000000000000-mapping.dmp

Download
memory/408-11-0x000007FFFFFDE000-mapping.dmp

Download
memory/408-12-0x00000000003D0000-0x000000000040D000-memory.dmp

Filesize
244KB

Download
memory/408-13-0x00000000023C0000-0x0000000002465000-memory.dmp

Filesize
660KB

Download
memory/1664-2-0x0000000000000000-mapping.dmp

Download
memory/2004-4-0x0000000000000000-mapping.dmp

Download
memory/2016-7-0x0000000000000000-mapping.dmp

Download
memory/2016-10-0x00000000004A0000-0x0000000000545000-memory.dmp

Filesize
660KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads