Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19/03/2022, 15:39

General

  • Target

    8bfc0d33681f4117e5cde9ae80cc506811689240f03b6efdcde175be9191fefb.exe

  • Size

    265KB

  • MD5

    29d1651ef8389ba50bf0d79fff4aad1c

  • SHA1

    128ba046f2adb250471383e54a5c110593933df5

  • SHA256

    8bfc0d33681f4117e5cde9ae80cc506811689240f03b6efdcde175be9191fefb

  • SHA512

    78c8969c4d213de79c439c735fdfe20f734a531e3f25ad853972d7eb6dbe5eabcb2b7ba154562f4f1f7cc1f86b169cadb570b282cdc9507e420fa18e62e435bf

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8005

C2

ssddl2.microsoft.com

siberiarrmaskkapsulrttezya.ru

sibedriamasterkkmoderatordstezya.ru

massidfberiatersksilkavayssstezya.ru

dolsggiberiaoserkmikluhasya.chimkent.su

dolsibegriaosersk4ermanderezya.chimkent.su

rdosdripakloserikabyatezya.chimkent.su

rusddripakoloserufinurtdrfezya.chimkent.su

ripakteenrufinishryeuliliezya.ru

rufiteemnisripakhglassdzya.ru

rufinisrufripakhmileronurzya.ru

rurugyrfripakinishtokokusstezya.ru

rufislomnishsripakerdfnstezya.adygeya.su

Attributes
  • build

    250161

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • suricata: ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected

    suricata: ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bfc0d33681f4117e5cde9ae80cc506811689240f03b6efdcde175be9191fefb.exe
    "C:\Users\Admin\AppData\Local\Temp\8bfc0d33681f4117e5cde9ae80cc506811689240f03b6efdcde175be9191fefb.exe"
    1⤵
      PID:2964
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4140
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3080
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:224
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5016 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4492
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2112

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2964-130-0x00000000052E2000-0x00000000052ED000-memory.dmp

              Filesize

              44KB

            • memory/2964-131-0x00000000052E2000-0x00000000052ED000-memory.dmp

              Filesize

              44KB

            • memory/2964-132-0x0000000000030000-0x000000000003C000-memory.dmp

              Filesize

              48KB

            • memory/2964-133-0x0000000000400000-0x000000000516F000-memory.dmp

              Filesize

              77.4MB