gozi_ifsb | a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c

General

Target

a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll
Size

306KB
MD5

98d030eeefc3536d68ccb9ae3a2d1502
SHA1

9f7d95691e0116f7c0d0f222de2149b073ef6cb6
SHA256

a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c
SHA512

bbfbd2525c24a5c0474d001f61edabed1ff05f83fb574eb16790e36298da80d8a56d10f28582340f438a3483d232a4efd19055b687fc773aef25856148c2ba52

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D3E5C28-DE76-11EB-A11C-4A85C7F4578F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1172 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1172 iexplore.exe
1172 iexplore.exe
2140 IEXPLORE.EXE
2140 IEXPLORE.EXE

pid	process
1172	iexplore.exe

pid	process
1172	iexplore.exe
1172	iexplore.exe
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	process	target process
PID 1832 wrote to memory of 3764	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 3764	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 3764	1832	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 2140	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 2140	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 2140	1172	iexplore.exe	IEXPLORE.EXE

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll,#1
1⤵
PID:3764

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-119-0x00007FFCC8390000-0x00007FFCC83FB000-memory.dmp

Filesize
428KB

Download
memory/2140-120-0x0000000000000000-mapping.dmp

Download
memory/3764-114-0x0000000000000000-mapping.dmp

Download
memory/3764-115-0x0000000000950000-0x00000000009FE000-memory.dmp

Filesize
696KB

Download
memory/3764-117-0x0000000074120000-0x000000007420A000-memory.dmp

Filesize
936KB

Download
memory/3764-116-0x0000000074120000-0x000000007412D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing