gozi_ifsb | 9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6

General

Target

3b17.dll
Size

607KB
MD5

3b17fcc55cee8cbe4cd1b443f358c36d
SHA1

45d1e652f282a94b37ac32afb62ff563afb2fb39
SHA256

9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
SHA512

6b299214396c3ea94d01f7211ffed949f4e615c12586d2191b633c12f6d7d2881c01bc2d1b360bf05d15b58c604104e222d7f33297e63c067144de4bf2c5c337

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6EEB3D9-DDB0-11EB-B2DB-DAB5BEA07F06} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2284 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2284 iexplore.exe
2284 iexplore.exe
3684 IEXPLORE.EXE
3684 IEXPLORE.EXE

pid	process
2284	iexplore.exe

pid	process
2284	iexplore.exe
2284	iexplore.exe
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	process	target process
PID 808 wrote to memory of 1180	808	rundll32.exe	rundll32.exe
PID 808 wrote to memory of 1180	808	rundll32.exe	rundll32.exe
PID 808 wrote to memory of 1180	808	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 3684	2284	iexplore.exe	IEXPLORE.EXE
PID 2284 wrote to memory of 3684	2284	iexplore.exe	IEXPLORE.EXE
PID 2284 wrote to memory of 3684	2284	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#1
2⤵
PID:1180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-114-0x0000000000000000-mapping.dmp

Download
memory/1180-116-0x00000000737F0000-0x0000000073920000-memory.dmp

Filesize
1.2MB

Download
memory/1180-115-0x00000000737F0000-0x00000000737FD000-memory.dmp

Filesize
52KB

Download
memory/1180-117-0x00000000032F0000-0x000000000343A000-memory.dmp

Filesize
1.3MB

Download
memory/2284-118-0x00007FFA108A0000-0x00007FFA1090B000-memory.dmp

Filesize
428KB

Download
memory/3684-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing