gozi_ifsb | 16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f

General

Target

16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe
Size

493KB
MD5

7e12831b97ad63445fc0e9173b98b4b0
SHA1

36adafaafea6740027beef8d8f6d762ede47203d
SHA256

16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f
SHA512

44d6f4d58712f45838627cc8bde00e63b52d9c2bc9bc45ffa6963725f6b26ab307e61d40c469bc10a657d84137e62ad8ee861744f0208ba0bdef9d8f2bd97f9f

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214963

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

DDOIdMgr.exe

pid process

1768 DDOIdMgr.exe
Deletes itself 1 IoCs

Processes:

DDOIdMgr.exe

pid process

1768 DDOIdMgr.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1468 cmd.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
1768	DDOIdMgr.exe

pid	process
1768	DDOIdMgr.exe

pid	process
1468	cmd.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\auth8thk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Datadler\\DDOIdMgr.exe"	16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DDOIdMgr.exesvchost.exe

description	pid	process	target process
PID 1768 set thread context of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1224 set thread context of 1424	1224	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DDOIdMgr.exeExplorer.EXE

pid process

1768 DDOIdMgr.exe
1424 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DDOIdMgr.exesvchost.exe

pid process

1768 DDOIdMgr.exe
1224 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE

pid	process
1768	DDOIdMgr.exe
1424	Explorer.EXE

pid	process
1768	DDOIdMgr.exe
1224	svchost.exe

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.execmd.execmd.exeDDOIdMgr.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 988 wrote to memory of 2040	988	16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe	cmd.exe
PID 988 wrote to memory of 2040	988	16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe	cmd.exe
PID 988 wrote to memory of 2040	988	16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe	cmd.exe
PID 988 wrote to memory of 2040	988	16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe	cmd.exe
PID 2040 wrote to memory of 1468	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1468	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1468	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1468	2040	cmd.exe	cmd.exe
PID 1468 wrote to memory of 1768	1468	cmd.exe	DDOIdMgr.exe
PID 1468 wrote to memory of 1768	1468	cmd.exe	DDOIdMgr.exe
PID 1468 wrote to memory of 1768	1468	cmd.exe	DDOIdMgr.exe
PID 1468 wrote to memory of 1768	1468	cmd.exe	DDOIdMgr.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1768 wrote to memory of 1224	1768	DDOIdMgr.exe	svchost.exe
PID 1224 wrote to memory of 1424	1224	svchost.exe	Explorer.EXE
PID 1224 wrote to memory of 1424	1224	svchost.exe	Explorer.EXE
PID 1224 wrote to memory of 1424	1224	svchost.exe	Explorer.EXE
PID 1424 wrote to memory of 1168	1424	Explorer.EXE	cmd.exe
PID 1424 wrote to memory of 1168	1424	Explorer.EXE	cmd.exe
PID 1424 wrote to memory of 1168	1424	Explorer.EXE	cmd.exe
PID 1168 wrote to memory of 1552	1168	cmd.exe	nslookup.exe
PID 1168 wrote to memory of 1552	1168	cmd.exe	nslookup.exe
PID 1168 wrote to memory of 1552	1168	cmd.exe	nslookup.exe
PID 1424 wrote to memory of 1532	1424	Explorer.EXE	cmd.exe
PID 1424 wrote to memory of 1532	1424	Explorer.EXE	cmd.exe
PID 1424 wrote to memory of 1532	1424	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe
  "C:\Users\Admin\AppData\Local\Temp\16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD9D\2998.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\16C2BF~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\16C2BF~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe" "C:\Users\Admin\AppData\Local\Temp\16C2BF~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1224
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\ED4C.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\ED4C.bi1"
  2⤵
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD9D\2998.bat

Filesize
108B

MD5
979462ca4338ae961c3b67831130c704

SHA1
ac79e5f101a7fe684089056dde698a55b3917e07

SHA256
5312fb503999e773c3296901b9161c4716d34fa886a02290a331d8cec6d4c7dc

SHA512
ed78c6e920dcf8b341d0ee1083d945b33c9a031e3a117c3d59c2ddd43c20a53cfe7adf170aa6b97fc80b97f824b0d4f75481c7b8d813606571320074b1e8fcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED4C.bi1

Filesize
118B

MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED4C.bi1

Filesize
118B

MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
493KB

MD5
7e12831b97ad63445fc0e9173b98b4b0

SHA1
36adafaafea6740027beef8d8f6d762ede47203d

SHA256
16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f

SHA512
44d6f4d58712f45838627cc8bde00e63b52d9c2bc9bc45ffa6963725f6b26ab307e61d40c469bc10a657d84137e62ad8ee861744f0208ba0bdef9d8f2bd97f9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
493KB

MD5
7e12831b97ad63445fc0e9173b98b4b0

SHA1
36adafaafea6740027beef8d8f6d762ede47203d

SHA256
16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f

SHA512
44d6f4d58712f45838627cc8bde00e63b52d9c2bc9bc45ffa6963725f6b26ab307e61d40c469bc10a657d84137e62ad8ee861744f0208ba0bdef9d8f2bd97f9f

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Datadler\DDOIdMgr.exe

Filesize
493KB

MD5
7e12831b97ad63445fc0e9173b98b4b0

SHA1
36adafaafea6740027beef8d8f6d762ede47203d

SHA256
16c2bfc8a95cd2996a5169d3fe441f6a8ac0d8fcf4c5562b6de6e68dac3ae35f

SHA512
44d6f4d58712f45838627cc8bde00e63b52d9c2bc9bc45ffa6963725f6b26ab307e61d40c469bc10a657d84137e62ad8ee861744f0208ba0bdef9d8f2bd97f9f

Download Submit
memory/988-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/988-56-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/988-55-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/1168-70-0x0000000000000000-mapping.dmp

Download
memory/1224-65-0x0000000000000000-mapping.dmp

Download
memory/1224-68-0x0000000000190000-0x0000000000222000-memory.dmp

Filesize
584KB

Download
memory/1424-69-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/1424-75-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/1468-59-0x0000000000000000-mapping.dmp

Download
memory/1532-72-0x0000000000000000-mapping.dmp

Download
memory/1552-71-0x0000000000000000-mapping.dmp

Download
memory/1768-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads