gozi_ifsb | 3b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae

General

Target

globalCounter.hta
Size

2KB
MD5

a10cc5c493b3ebc1f075424e146e92f0
SHA1

1ccaa12aae57ee57c36db36d5eb315373bcadb6c
SHA256

3b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae
SHA512

148c03979dedb4b24ca88dad4b0d4d7ea6409febd34921044fa37be016632bb0267c737ef2b0d3da317010f0a868ced277ec632868cd8810fdc80646260adcdd

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 1248 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

344 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
5	1248	mshta.exe

pid	process
344	regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe
PID 1248 wrote to memory of 344	1248	mshta.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\globalCounter.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\globalCounter.jpg
2⤵
- Loads dropped DLL
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\public\globalCounter.jpg
MD5
3849a8c0cdebf6b8d360ba056e65b092

SHA1
8da10eedee90cc9e2c03946dbe31dd04d071ec62

SHA256
7fee6aa3d700b17ea7eccbecb00be255ccedbd68575324d144a812f8cc3b29df

SHA512
98d72188f30ba60f0295eced90f0d88af0b07d0805029daaf9669fcb04b06006ac73ebe0d7b91b7a68fe87cbb1ec7a4d8b17d1915f6257749206e88b71815127

Download Submit
\Users\Public\globalCounter.jpg
MD5
3849a8c0cdebf6b8d360ba056e65b092

SHA1
8da10eedee90cc9e2c03946dbe31dd04d071ec62

SHA256
7fee6aa3d700b17ea7eccbecb00be255ccedbd68575324d144a812f8cc3b29df

SHA512
98d72188f30ba60f0295eced90f0d88af0b07d0805029daaf9669fcb04b06006ac73ebe0d7b91b7a68fe87cbb1ec7a4d8b17d1915f6257749206e88b71815127

Download Submit
memory/344-59-0x0000000000000000-mapping.dmp

Download
memory/344-60-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/344-64-0x00000000732E0000-0x000000007338F000-memory.dmp

Filesize
700KB

Download
memory/344-63-0x00000000732E0000-0x00000000732ED000-memory.dmp

Filesize
52KB

Download
memory/344-65-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing