gozi_ifsb | f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3

General

Target

nextClear.jpg.dll
Size

563KB
MD5

9d7f1e8c8fca96cc2cbed2c7d1b954ca
SHA1

f086f0be7d9ed6fe64291bf64f456630fb81cb70
SHA256

f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
SHA512

9f311d61716c0ab2f4dd059505ac8b4def4db90815f422b5f236b8b1c929dabe3d3d5223d834357431f9bd8d5578c179c7f78a131f0428cf0e3a304edc741113

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2027ed9d0f18d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAF79C27-8402-11EB-B59A-5EE6A97A695A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2527379772"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007840c697d42ca64495f00ec94712bbae000000000200000000001066000000010000200000009fe81ed32ed3654c162f6ce0b389339486b1c066b90809896c07b8c6aa270a72000000000e80000000020000200000005dba8c7027d306678978e34db4236b8b5b7462f170900bc711d175165026188d20000000132231e61737444572911837785bbf312cbcb123efe8240e12541bb1c6533797400000002cd8abb54c53507a81f957270a963f627c4ff5ef06f2ff53bb0f3733b1e3474447bf7c45ba08a224c03f1d774b4d8e7a406a1830fedebc8b7206ab76e111c663	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007840c697d42ca64495f00ec94712bbae00000000020000000000106600000001000020000000ab52afa2af9e45671f64ce30a28c865e8504f6d422d737045472398d57384cb4000000000e8000000002000020000000ecc0ef13c29ee34204a9f24dde6bf5d62446bfeefb5b24b44f850002ba0f61c42000000030ea223dd9126fa54653fd12d437423d23ce73451d0c1db1986bb56078f7726d400000005509a2928eafd096c0475d4929e45dcae8015b6ab3539349f9d9634286c92aeffbd06869acf04817aa4df580c7271222d207f981d35a8dbebefca267b8881cbc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30873615"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007840c697d42ca64495f00ec94712bbae00000000020000000000106600000001000020000000a60c62194c74e859b75c47b34056106c146f44766e7fa02172f19f9f1b30afe4000000000e800000000200002000000054f2ae797d9fbd388140a742104b18144d431782750d0efc2386cbc596fae9e720000000b1100d9fc7ea2d782550c48ec10ad41523aa573f85d6c9b191f25698a2d810bb4000000013ef05c382153d70264b79ea96ce50a55fa1d2938e4d6e0ef15397fb8ada754e3490c27eb5fd672a09b6c0cab769af027322e3a270de46d7a96912e14d4cd145	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f30f970f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f0979f0f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007840c697d42ca64495f00ec94712bbae00000000020000000000106600000001000020000000b9f2ceb9b0673a20989a7b0ed3b8a7c5b885e2b7d1bd936d49f69d5108c44609000000000e8000000002000020000000487d13dc9abe7c0a8c08bf46240dc6c77abbf0ebe94382a159ebbe03ce5d653c200000007c9378bf060cbdc314a670b0abd882f66050d44060bc3f631c1abd14a14c77a540000000e3c0065a38a0a0c10285ab9af7e0f3afb5ab839cf77645820dd7d86875b77aa43c4eb57956ad9101de3785744039aa3731a23b4d13a815b47c4416cf54974487	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2527224094"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30873615"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007840c697d42ca64495f00ec94712bbae0000000002000000000010660000000100002000000001441f22ada382568b3f0c11f9c29e77afae4945107f2438d78a0670d4dbedb4000000000e8000000002000020000000d5dab0d623135237aa8a2e5c0dc4638de17d01f9c3bfba863918988b6e83ade12000000047860b39ecfcbe3dc5d1c66368d991793ff2627a21b14fe936bce584bb9e7259400000007407fba609b874e868bd1527f778146bc24d4af0243984f9fca86c6cc0d1e417d788fb359726d932fa304e18ab99cf95b1deabd96643058b24291dc031b0079c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C1CFEC71-8402-11EB-B59A-5EE6A97A695A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09c4b970f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06bc89e0f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3676 iexplore.exe
2740 iexplore.exe
2740 iexplore.exe
2740 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3676	iexplore.exe
3676	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
2740	iexplore.exe
2740	iexplore.exe
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE
2740	iexplore.exe
2740	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
2740	iexplore.exe
2740	iexplore.exe
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe
PID 3676 wrote to memory of 1344	3676	iexplore.exe	IEXPLORE.EXE
PID 3676 wrote to memory of 1344	3676	iexplore.exe	IEXPLORE.EXE
PID 3676 wrote to memory of 1344	3676	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 3412	2740	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 3412	2740	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 3412	2740	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 1788	2740	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 1788	2740	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 1788	2740	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\nextClear.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\nextClear.jpg.dll
2⤵
PID:3788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3676 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:82951 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WTV3NVJ9.cookie
MD5
e37ef730a02b3e6ef303a649809af377

SHA1
241101af4841b25b626a593bb2c596ee1d667b91

SHA256
5b2043a93c8c289b6d437699f80d03fd9cf6bfc3f95c268ee6c4a54ae85c623a

SHA512
49181ad0a04d3d46e36568b0695addbc84263f129d611ce17fb12410da6d6e1a8af19d8c5a0bd3a252399f5a1e7fd4b4a37c2cf8ae1949255b961655327ed7c9

Download Submit
memory/1344-5-0x0000000000000000-mapping.dmp

Download
memory/1788-8-0x0000000000000000-mapping.dmp

Download
memory/3412-6-0x0000000000000000-mapping.dmp

Download
memory/3788-2-0x0000000000000000-mapping.dmp

Download
memory/3788-3-0x0000000073CC0000-0x0000000073CCF000-memory.dmp

Filesize
60KB

Download
memory/3788-4-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads