gozi_ifsb | 8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05

General

Target

pan0ramic0.jpg.dll
Size

220KB
MD5

86b877eeaf0482b5e1439ed80a82fffb
SHA1

26c46504c293311f0403bf699f2ddc6cacb63c5b
SHA256

8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05
SHA512

668d14788dea6baa58997ee0ddc364c93d268091cc0f2b7e30a1d0b29c6389438c11d53b35d5ab40abe58efebbc92f5acdae92e0cba852cfbd970cecf0e53dd5

Score

10^/10

gozi_ifsb banker ransomware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AF7F178-5C9A-11EB-B59A-5A6C71108AE1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f6656aa7f0d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30863527"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1605068488"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000007970494311470d8255a51997fdc6dae736d6eed7e0f5c3002d8a01999a0f7998000000000e8000000002000020000000ad3a53e580b3ba4b5540471937ba423a8d4a4b91e71f9e25a88adbd5d36291c620000000960b6c123d1db3a44bd8b5b9864733b522991e13e07258eae95d795bef5d82624000000068e2f9798c051b32b5239e304ab5b0b64e6fd11a5a622186d73fffc260031c0eb15c69a4770076a36da2fa5f59020c30c663c9768d6d8e763a958245d1f6ed7d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE381578-5C9A-11EB-B59A-5A6C71108AE1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1605068488"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000004dfbaa4175693f7ade46ae94f742073f1f788ffd0912a4b054c31fde2b1f49d000000000e8000000002000020000000e255e3df13deb9759e845d32a08457f613835aafa1c3470bd3edb96f315698e120000000620499f683e9aafbbc8f1c42996c10e4291a6c0b2ceee2c9d20f9d73f0e4941a40000000d132c38fb2319184592b8df5176630a0f816cf5bcf3d3d718243e58c2a2bd39e75553a7de48e49353755d2a9e71a6cf25336b6c0b2cef6a667a47350b62c4dcf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000caaf1aa1e5ef6c2936ac0a34f6ae27a1599df0d87c9374b61191977fbddba7e2000000000e8000000002000020000000719db03712080307615cdb167c64ce0085a84346b779fbb803b29cacd0ef63d1200000005777b25a7e9b0d3d4403c528b154f10907c33a20e81f58b4f764581a0b00715e40000000fe97300dc963c2e7eb0e5ae3334d39f6b1f78f40a09cab9c15b7b9207b71e4ebd0900a90868d5d9c466d4b37b53abe5c9b0fcabf969da5af51c02e509cec41ab	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4046496aa7f0d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30863527"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b25f71a7f0d601	iexplore.exe

Suspicious use of FindShellTrayWindow 78 IoCs

Processes:

regsvr32.exe

pid	process
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe
3880	regsvr32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid process

732 iexplore.exe
732 iexplore.exe
4048 IEXPLORE.EXE
4048 IEXPLORE.EXE
1996 iexplore.exe
1996 iexplore.exe
1836 IEXPLORE.EXE
1836 IEXPLORE.EXE

pid	process
732	iexplore.exe
732	iexplore.exe
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 796 wrote to memory of 3880	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 3880	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 3880	796	regsvr32.exe	regsvr32.exe
PID 732 wrote to memory of 4048	732	iexplore.exe	IEXPLORE.EXE
PID 732 wrote to memory of 4048	732	iexplore.exe	IEXPLORE.EXE
PID 732 wrote to memory of 4048	732	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pan0ramic0.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\pan0ramic0.jpg.dll
2⤵
- Suspicious use of FindShellTrayWindow
PID:3880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:732 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1836-6-0x0000000000000000-mapping.dmp

Download
memory/3880-2-0x0000000000000000-mapping.dmp

Download
memory/3880-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-3-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/4048-5-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads