Analysis

  • max time kernel
    155s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21/03/2022, 08:14

General

  • Target

    50ed0329ffb7ae83f7a8042ef7f6bd5af5f308e52f479965358cfe4d646b1847.exe

  • Size

    273KB

  • MD5

    c0de3291fe744c4941a518ac41cdcd10

  • SHA1

    07a83577f3af719d8cf386d9768edb24a104abab

  • SHA256

    50ed0329ffb7ae83f7a8042ef7f6bd5af5f308e52f479965358cfe4d646b1847

  • SHA512

    a64a7a039a5e2e3639eec32b6e79f8f89cd815a3ea581a944a74d943699b30122351512ed7344d5862fcfc6d85422e6d1d27dc849beb6a5e388928c79daf14e3

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7622

C2

botanlink.top

linkspremium.ru

premiumlists.ru

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50ed0329ffb7ae83f7a8042ef7f6bd5af5f308e52f479965358cfe4d646b1847.exe
    "C:\Users\Admin\AppData\Local\Temp\50ed0329ffb7ae83f7a8042ef7f6bd5af5f308e52f479965358cfe4d646b1847.exe"
    1⤵
      PID:2280
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1564
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2432
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1512
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        1⤵
        • Modifies data under HKEY_USERS
        PID:2820

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2280-134-0x0000000000650000-0x000000000065A000-memory.dmp

              Filesize

              40KB

            • memory/2280-135-0x00000000021D0000-0x00000000021DB000-memory.dmp

              Filesize

              44KB

            • memory/2280-136-0x0000000000400000-0x0000000000475000-memory.dmp

              Filesize

              468KB

            • memory/2820-138-0x000001E619F20000-0x000001E619F30000-memory.dmp

              Filesize

              64KB

            • memory/2820-137-0x000001E619370000-0x000001E619380000-memory.dmp

              Filesize

              64KB

            • memory/2820-139-0x000001E61C2F0000-0x000001E61C2F4000-memory.dmp

              Filesize

              16KB