gozi_ifsb | 9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7

General

Target

b5b2765aaf97ae9c22abd312e684616d.dll
Size

820KB
MD5

b5b2765aaf97ae9c22abd312e684616d
SHA1

a66a652c2067f7489b83aba3b78502c0f482863b
SHA256

9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7
SHA512

af6c0a6c582a0cfd4f7de6bf1cf0199898b31edc0dba5467a499c2148e425d91d556bd7eebd08faf093d610cbf2afbee2237affc206106c7209cb2492a563279

Score

10^/10

gozi_ifsb 2000 banker evasion persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers
exe_type

Extracted

Family

gozi_ifsb

Botnet

2000

Attributes

build
215755
dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers
exe_type
worker

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\authCore\aecahell.dll = "0"	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\deskintf = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\authCore\\aecahell.dll\",DllRegisterServer"	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exesvchost.exe

description	pid	process	target process
PID 112 set thread context of 1648	112	rundll32.exe	svchost.exe
PID 1648 set thread context of 1196	1648	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

112 rundll32.exe
1196 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

112 rundll32.exe
1648 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeExplorer.EXE

description pid process

Token: SeTakeOwnershipPrivilege 112 rundll32.exe
Token: SeShutdownPrivilege 1196 Explorer.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE

pid	process
112	rundll32.exe
1196	Explorer.EXE

pid	process
1196	Explorer.EXE

pid	process
112	rundll32.exe
1648	svchost.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	112	rundll32.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exesvchost.exe

description	pid	process	target process
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 112	548	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 112 wrote to memory of 1648	112	rundll32.exe	svchost.exe
PID 1648 wrote to memory of 1196	1648	svchost.exe	Explorer.EXE
PID 1648 wrote to memory of 1196	1648	svchost.exe	Explorer.EXE
PID 1648 wrote to memory of 1196	1648	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5b2765aaf97ae9c22abd312e684616d.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5b2765aaf97ae9c22abd312e684616d.dll,#1
    3⤵
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\authCore\aecahell.dll

MD5
b5b2765aaf97ae9c22abd312e684616d

SHA1
a66a652c2067f7489b83aba3b78502c0f482863b

SHA256
9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7

SHA512
af6c0a6c582a0cfd4f7de6bf1cf0199898b31edc0dba5467a499c2148e425d91d556bd7eebd08faf093d610cbf2afbee2237affc206106c7209cb2492a563279

Download Submit
memory/112-2-0x0000000000000000-mapping.dmp

Download
memory/112-3-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/112-5-0x0000000000890000-0x00000000008F2000-memory.dmp

Filesize
392KB

Download
memory/112-4-0x00000000006F0000-0x000000000074F000-memory.dmp

Filesize
380KB

Download
memory/112-7-0x0000000000890000-0x00000000008F2000-memory.dmp

Filesize
392KB

Download
memory/1196-11-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000004A20000-0x0000000004B1C000-memory.dmp

Filesize
1008KB

Download
memory/1648-6-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000000430000-0x000000000052C000-memory.dmp

Filesize
1008KB

Download
memory/1648-9-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads