gozi_ifsb | 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

General

Target

1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
Size

388KB
MD5

0bb4c690fe90c499275a1b268b5ff0eb
SHA1

4308d202a1f308db17e6a5b1eda83aa18aa45ece
SHA256

1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a
SHA512

9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Audirvps.exe

pid process

4224 Audirvps.exe

pid	process
4224	Audirvps.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipmlua = "C:\\Users\\Admin\\AppData\\Roaming\\AppMtngc\\Audirvps.exe"	1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4168 4224 WerFault.exe Audirvps.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Audirvps.exe

pid process

4224 Audirvps.exe
4224 Audirvps.exe

pid	pid_target	process	target process
4168	4224	WerFault.exe	Audirvps.exe

pid	process
4224	Audirvps.exe
4224	Audirvps.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.execmd.execmd.exeAudirvps.exe

description	pid	process	target process
PID 4116 wrote to memory of 3744	4116	1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe	cmd.exe
PID 4116 wrote to memory of 3744	4116	1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe	cmd.exe
PID 4116 wrote to memory of 3744	4116	1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe	cmd.exe
PID 3744 wrote to memory of 4632	3744	cmd.exe	cmd.exe
PID 3744 wrote to memory of 4632	3744	cmd.exe	cmd.exe
PID 3744 wrote to memory of 4632	3744	cmd.exe	cmd.exe
PID 4632 wrote to memory of 4224	4632	cmd.exe	Audirvps.exe
PID 4632 wrote to memory of 4224	4632	cmd.exe	Audirvps.exe
PID 4632 wrote to memory of 4224	4632	cmd.exe	Audirvps.exe
PID 4224 wrote to memory of 4220	4224	Audirvps.exe	svchost.exe
PID 4224 wrote to memory of 4220	4224	Audirvps.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
"C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E018\10.bat" "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
"C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 572
5⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4224 -ip 4224
1⤵
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E018\10.bat
Filesize
112B

MD5
2e10604859d57e00c294694ab833784e

SHA1
2c32e6b046d2ca8a7831f46fa3711b87dff6aa3d

SHA256
cf6049aa850101e6f006a26f381a725172c4968ca2748acfd68636fe5847c634

SHA512
adfbd0df917d89b5e58e01e1434e63e9ab4b1a67454cad0bad7ea5e1154d30fd235af91bc3ccce3ef5df37714391cb9c041f7d4f524ab47d0b773e7d09d73703

Download Submit
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
Filesize
388KB

MD5
0bb4c690fe90c499275a1b268b5ff0eb

SHA1
4308d202a1f308db17e6a5b1eda83aa18aa45ece

SHA256
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

SHA512
9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

Download Submit
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
Filesize
388KB

MD5
0bb4c690fe90c499275a1b268b5ff0eb

SHA1
4308d202a1f308db17e6a5b1eda83aa18aa45ece

SHA256
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

SHA512
9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

Download Submit
memory/3744-133-0x0000000000000000-mapping.dmp

Download
memory/4116-130-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4116-132-0x00000000021B0000-0x00000000021E0000-memory.dmp

Filesize
192KB

Download
memory/4224-136-0x0000000000000000-mapping.dmp

Download
memory/4224-139-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4224-141-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/4632-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads