gozi_ifsb | 80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764

General

Target

80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe
Size

273KB
MD5

54cd7479c93e54ce8c9784b8b1a0392b
SHA1

c3e15e023c4ae835789b82befbe328ae137417ea
SHA256

80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764
SHA512

cea67d7c1094b107a83c607196d9d4d16e0d7d6b7e5cdaa81d83e52422a9194203680d65b44c106c46a8e47dc6251fe292930e9fcc8b757b7d5242383286afbb

Score

10^/10

gozi_ifsb 10003 banker persistence trojan upx

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10003

C2

127.0.0.1

Attributes

build
214711
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0xf24ca29e
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Bitshost.exe

pid process

788 Bitshost.exe

pid	process
788	Bitshost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe	upx
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe	upx

Deletes itself 1 IoCs

Processes:

Bitshost.exe

pid process

788 Bitshost.exe

pid	process
788	Bitshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abovsapi = "C:\\Users\\Admin\\AppData\\Roaming\\capasnap\\Bitshost.exe"	80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Bitshost.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 788 set thread context of 4500	788	Bitshost.exe	svchost.exe
PID 4500 set thread context of 2452	4500	svchost.exe	Explorer.EXE
PID 2452 set thread context of 3592	2452	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Bitshost.exeExplorer.EXE

pid process

788 Bitshost.exe
788 Bitshost.exe
2452 Explorer.EXE
2452 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2452 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Bitshost.exesvchost.exeExplorer.EXE

pid process

788 Bitshost.exe
4500 svchost.exe
2452 Explorer.EXE

pid	process
788	Bitshost.exe
788	Bitshost.exe
2452	Explorer.EXE
2452	Explorer.EXE

pid	process
2452	Explorer.EXE

pid	process
788	Bitshost.exe
4500	svchost.exe
2452	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2452	Explorer.EXE
Token: SeCreatePagefilePrivilege	2452	Explorer.EXE
Token: SeShutdownPrivilege	2452	Explorer.EXE
Token: SeCreatePagefilePrivilege	2452	Explorer.EXE
Token: SeShutdownPrivilege	2452	Explorer.EXE
Token: SeCreatePagefilePrivilege	2452	Explorer.EXE
Token: SeShutdownPrivilege	2452	Explorer.EXE
Token: SeCreatePagefilePrivilege	2452	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2452 Explorer.EXE

pid	process
2452	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.execmd.execmd.exeBitshost.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 3572 wrote to memory of 4332	3572	80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe	cmd.exe
PID 3572 wrote to memory of 4332	3572	80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe	cmd.exe
PID 3572 wrote to memory of 4332	3572	80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe	cmd.exe
PID 4332 wrote to memory of 4448	4332	cmd.exe	cmd.exe
PID 4332 wrote to memory of 4448	4332	cmd.exe	cmd.exe
PID 4332 wrote to memory of 4448	4332	cmd.exe	cmd.exe
PID 4448 wrote to memory of 788	4448	cmd.exe	Bitshost.exe
PID 4448 wrote to memory of 788	4448	cmd.exe	Bitshost.exe
PID 4448 wrote to memory of 788	4448	cmd.exe	Bitshost.exe
PID 788 wrote to memory of 4500	788	Bitshost.exe	svchost.exe
PID 788 wrote to memory of 4500	788	Bitshost.exe	svchost.exe
PID 788 wrote to memory of 4500	788	Bitshost.exe	svchost.exe
PID 788 wrote to memory of 4500	788	Bitshost.exe	svchost.exe
PID 788 wrote to memory of 4500	788	Bitshost.exe	svchost.exe
PID 4500 wrote to memory of 2452	4500	svchost.exe	Explorer.EXE
PID 4500 wrote to memory of 2452	4500	svchost.exe	Explorer.EXE
PID 4500 wrote to memory of 2452	4500	svchost.exe	Explorer.EXE
PID 2452 wrote to memory of 3592	2452	Explorer.EXE	RuntimeBroker.exe
PID 2452 wrote to memory of 3592	2452	Explorer.EXE	RuntimeBroker.exe
PID 2452 wrote to memory of 3592	2452	Explorer.EXE	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3592

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe
"C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B36E\D9B7.bat" "C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B36E\D9B7.bat
MD5
2198b3dc06e6e9e9678cd1450185c0ac

SHA1
8bce4fedb8fb6ff043319f674cd6c35ff3e22dc6

SHA256
90397ede065fdcb6d520ae922989a0f17b4dad9b9ad9ce64395f480c2abb16e6

SHA512
e12bab62f4bf7b819fb1ac3d0c11b8fba7c4992716aeb35ebc091cedec77ce93ae8d6540bc0ccc9478190d29707402697046b9c56222ef55efb71a86558a6e67

Download Submit
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
MD5
54cd7479c93e54ce8c9784b8b1a0392b

SHA1
c3e15e023c4ae835789b82befbe328ae137417ea

SHA256
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764

SHA512
cea67d7c1094b107a83c607196d9d4d16e0d7d6b7e5cdaa81d83e52422a9194203680d65b44c106c46a8e47dc6251fe292930e9fcc8b757b7d5242383286afbb

Download Submit
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
MD5
54cd7479c93e54ce8c9784b8b1a0392b

SHA1
c3e15e023c4ae835789b82befbe328ae137417ea

SHA256
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764

SHA512
cea67d7c1094b107a83c607196d9d4d16e0d7d6b7e5cdaa81d83e52422a9194203680d65b44c106c46a8e47dc6251fe292930e9fcc8b757b7d5242383286afbb

Download Submit
memory/788-120-0x0000000000000000-mapping.dmp

Download
memory/788-123-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2452-127-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/2452-132-0x0000000000A90000-0x0000000000B26000-memory.dmp

Filesize
600KB

Download
memory/2452-128-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/2452-131-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3572-116-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3572-115-0x00000000008F0000-0x000000000092C000-memory.dmp

Filesize
240KB

Download
memory/3592-135-0x0000019A235B0000-0x0000019A235B1000-memory.dmp

Filesize
4KB

Download
memory/3592-136-0x0000019A25890000-0x0000019A25926000-memory.dmp

Filesize
600KB

Download
memory/3592-134-0x0000019A23750000-0x0000019A23752000-memory.dmp

Filesize
8KB

Download
memory/3592-133-0x0000019A23750000-0x0000019A23752000-memory.dmp

Filesize
8KB

Download
memory/4332-117-0x0000000000000000-mapping.dmp

Download
memory/4448-119-0x0000000000000000-mapping.dmp

Download
memory/4500-126-0x000002A424E50000-0x000002A424E52000-memory.dmp

Filesize
8KB

Download
memory/4500-130-0x0000000000CE0000-0x0000000000D76000-memory.dmp

Filesize
600KB

Download
memory/4500-129-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4500-125-0x000002A424E50000-0x000002A424E52000-memory.dmp

Filesize
8KB

Download
memory/4500-124-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads