gozi_ifsb | 14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549

General

Target

14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe
Size

507KB
MD5

acae0628b7df86f2257e76c064adc63c
SHA1

0ad10d85a70187745849d38551e6cb197f067d19
SHA256

14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549
SHA512

a81035177ebded54a1b54061f84da06fe42ee56fb2f07e0a1c7cc39eb109b83c1ef196034bba743b1eca47e7a6b78866327f5f3c5fbfd93c084735c7d8332027

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214963

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

DDOIdMgr.exe

pid process

2016 DDOIdMgr.exe
Deletes itself 1 IoCs

Processes:

DDOIdMgr.exe

pid process

2016 DDOIdMgr.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1916 cmd.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
2016	DDOIdMgr.exe

pid	process
2016	DDOIdMgr.exe

pid	process
1916	cmd.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\auth8thk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Datadler\\DDOIdMgr.exe"	14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DDOIdMgr.exesvchost.exe

description	pid	process	target process
PID 2016 set thread context of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2020 set thread context of 1344	2020	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DDOIdMgr.exeExplorer.EXE

pid process

2016 DDOIdMgr.exe
1344 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DDOIdMgr.exesvchost.exe

pid process

2016 DDOIdMgr.exe
2020 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
1344 Explorer.EXE

pid	process
2016	DDOIdMgr.exe
1344	Explorer.EXE

pid	process
2016	DDOIdMgr.exe
2020	svchost.exe

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

pid	process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.execmd.execmd.exeDDOIdMgr.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 800 wrote to memory of 1500	800	14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe	cmd.exe
PID 800 wrote to memory of 1500	800	14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe	cmd.exe
PID 800 wrote to memory of 1500	800	14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe	cmd.exe
PID 800 wrote to memory of 1500	800	14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe	cmd.exe
PID 1500 wrote to memory of 1916	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1916	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1916	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1916	1500	cmd.exe	cmd.exe
PID 1916 wrote to memory of 2016	1916	cmd.exe	DDOIdMgr.exe
PID 1916 wrote to memory of 2016	1916	cmd.exe	DDOIdMgr.exe
PID 1916 wrote to memory of 2016	1916	cmd.exe	DDOIdMgr.exe
PID 1916 wrote to memory of 2016	1916	cmd.exe	DDOIdMgr.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2016 wrote to memory of 2020	2016	DDOIdMgr.exe	svchost.exe
PID 2020 wrote to memory of 1344	2020	svchost.exe	Explorer.EXE
PID 2020 wrote to memory of 1344	2020	svchost.exe	Explorer.EXE
PID 2020 wrote to memory of 1344	2020	svchost.exe	Explorer.EXE
PID 1344 wrote to memory of 1732	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 1732	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 1732	1344	Explorer.EXE	cmd.exe
PID 1732 wrote to memory of 1472	1732	cmd.exe	nslookup.exe
PID 1732 wrote to memory of 1472	1732	cmd.exe	nslookup.exe
PID 1732 wrote to memory of 1472	1732	cmd.exe	nslookup.exe
PID 1344 wrote to memory of 828	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 828	1344	Explorer.EXE	cmd.exe
PID 1344 wrote to memory of 828	1344	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe
  "C:\Users\Admin\AppData\Local\Temp\14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\5953\F25.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\14C677~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\14C677~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\14C677~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2020
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C4E4.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C4E4.bi1"
  2⤵
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5953\F25.bat

Filesize
108B

MD5
3c422cca0209857d00ea25fd1cbd3ff9

SHA1
85e36a57db65448968bd4a246ef15b8081f58356

SHA256
1d85f288fc19f2f9d4c962e2f70a2708f2d45d81d96e1fc6d9d9ba932f483236

SHA512
677d6ff6aa1a49af8d43872cbda25e8e79da6b148845ad60951ccac21c188b617d7b6e17a466f4c2ed8610548db69b36d35309ede44e269c9dc331d412458de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4E4.bi1

Filesize
118B

MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4E4.bi1

Filesize
118B

MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
507KB

MD5
acae0628b7df86f2257e76c064adc63c

SHA1
0ad10d85a70187745849d38551e6cb197f067d19

SHA256
14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549

SHA512
a81035177ebded54a1b54061f84da06fe42ee56fb2f07e0a1c7cc39eb109b83c1ef196034bba743b1eca47e7a6b78866327f5f3c5fbfd93c084735c7d8332027

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
507KB

MD5
acae0628b7df86f2257e76c064adc63c

SHA1
0ad10d85a70187745849d38551e6cb197f067d19

SHA256
14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549

SHA512
a81035177ebded54a1b54061f84da06fe42ee56fb2f07e0a1c7cc39eb109b83c1ef196034bba743b1eca47e7a6b78866327f5f3c5fbfd93c084735c7d8332027

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
507KB

MD5
acae0628b7df86f2257e76c064adc63c

SHA1
0ad10d85a70187745849d38551e6cb197f067d19

SHA256
14c677290ebe1bf2be247eb076e2a702d1bc713d6ae249b1f00c78762c8b6549

SHA512
a81035177ebded54a1b54061f84da06fe42ee56fb2f07e0a1c7cc39eb109b83c1ef196034bba743b1eca47e7a6b78866327f5f3c5fbfd93c084735c7d8332027

Download Submit
memory/800-58-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/800-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/800-55-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/800-56-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/828-73-0x0000000000000000-mapping.dmp

Download
memory/1344-76-0x0000000004790000-0x0000000004822000-memory.dmp

Filesize
584KB

Download
memory/1344-70-0x0000000004790000-0x0000000004822000-memory.dmp

Filesize
584KB

Download
memory/1472-72-0x0000000000000000-mapping.dmp

Download
memory/1500-57-0x0000000000000000-mapping.dmp

Download
memory/1732-71-0x0000000000000000-mapping.dmp

Download
memory/1916-60-0x0000000000000000-mapping.dmp

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download
memory/2016-68-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2016-67-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2020-69-0x00000000003D0000-0x0000000000462000-memory.dmp

Filesize
584KB

Download
memory/2020-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads