gozi_ifsb | d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79

Analysis

max time kernel
140s
max time network
138s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin.dll
Size

93KB
MD5

913c77883aa2e28ec98e5cf86d6fc2cb
SHA1

5a5c60b32770cb4654269a812d07e13767ad7ed6
SHA256

ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
SHA512

8722b1958bdea7c23073d4f26c8f47221244ff44d243d253948a48d3635b5c96131078cb867e3f83f6cfdb4800c26ca4da9b4c12ce56219591b5c716ba058bf9

Score

10^/10

gozi_ifsb 3300 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3300

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D18829C4-722A-11EB-B59A-6E25161A58E2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

744 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

744 iexplore.exe
744 iexplore.exe
4076 IEXPLORE.EXE
4076 IEXPLORE.EXE

pid	process
744	iexplore.exe

pid	process
744	iexplore.exe
744	iexplore.exe
4076	IEXPLORE.EXE
4076	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	process	target process
PID 644 wrote to memory of 1444	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 1444	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 1444	644	rundll32.exe	rundll32.exe
PID 744 wrote to memory of 4076	744	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 4076	744	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 4076	744	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin.dll,#1
2⤵
PID:1444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-2-0x0000000000000000-mapping.dmp

Download
memory/1444-3-0x0000000004D80000-0x0000000006D93000-memory.dmp

Filesize
32.1MB

Download
memory/1444-4-0x0000000010000000-0x0000000012013000-memory.dmp

Filesize
32.1MB

Download
memory/4076-5-0x0000000000000000-mapping.dmp

Download