gozi_ifsb | 09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285

Target

out.dll
Size

95KB
MD5

2ff0ff62b5cf7e7097f75a37492f02f8
SHA1

9d60d24299762f4aa7fa71838b58e4e747b95df6
SHA256

09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
SHA512

dc9a5422b9f49910db2ad66d4b4d010fb538e6c12e214c33b4b5ee3c5b96591d251b17d9ff99a7dea83b25b62e6ec521a7292471f42def6cb00b2fa139a9eea6

Score

10^/10

gozi_ifsb 1100 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30917353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb0000000002000000000010660000000100002000000065c4b62c9ddba1cad3a082ff744799811a4a937f39d582b61ae5c41f62a04dcd000000000e80000000020000200000005de5f22720ed027e536e30a28234bac90ded49ad4de20ec9c95911e4c78a133020000000f8e2d2b4b9e65e576c6206a0ff3edbd39a229fc1ec5550cded73697d77a8025b40000000e747cb19c4ee52481702fcfc09ab320e64c4c5e351e43c87d8cadb0e71147b513ea54fb0e5d07ea5e8f3f3b9bc496028b9349a4bf146dcfb604d853c9bc37bdc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000ebbe3f88622cd611188b33ec8d44ac486a3877c18ef33eb9766a97a21d9568cb000000000e8000000002000020000000fcf06a18ee1a7e147d9c48dcbbd24b9857ea40c69577b23656e681a3786ca774200000000f87da833dc26a1e43ee808410f7715e3bda65cc36e312a74fcff4395a143c89400000001a77e71b41d83c24712b796d01e82a781786f26ae76e26c9bc6656dc743145335f6475383b78bc7e16a7877ad930eebbbfffa6b9980dc5e5065f2d803a4eaf6f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5056c716e9c2d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1095e116e9c2d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "341543955"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F30E412-2EDC-11EC-B8A2-6E8637DC7581} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "341387728"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
2828	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2828	iexplore.exe
2828	iexplore.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	Process	procid_target
PID 2724 wrote to memory of 3028	2724	rundll32.exe	69
PID 2724 wrote to memory of 3028	2724	rundll32.exe	69
PID 2724 wrote to memory of 3028	2724	rundll32.exe	69
PID 2828 wrote to memory of 3036	2828	iexplore.exe	72
PID 2828 wrote to memory of 3036	2828	iexplore.exe	72
PID 2828 wrote to memory of 3036	2828	iexplore.exe	72

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
  2⤵
  PID:3028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-141-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-179-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-182-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-171-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-119-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-120-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-122-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-123-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-124-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-125-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-127-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-126-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-128-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-130-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-131-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-132-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-134-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-144-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-137-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-138-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-139-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-140-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-118-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-167-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-135-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-145-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-147-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-148-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-150-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-152-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-153-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-154-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-158-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-159-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-160-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-161-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-162-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-163-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-164-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-165-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/2828-166-0x00007FFDC41D0000-0x00007FFDC423B000-memory.dmp

Filesize
428KB

Download
memory/3028-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3028-115-0x0000000000000000-mapping.dmp

Download
memory/3028-116-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3036-143-0x0000000000000000-mapping.dmp

Download