Malware Analysis Report

2025-06-16 04:54

Sample ID 220612-1bl9caccg2
Target 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA256 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
Tags
gozi_ifsb banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d

Threat Level: Known bad

The file 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb banker persistence trojan

Gozi, Gozi IFSB

Executes dropped EXE

Unexpected DNS network traffic destination

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-12 21:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 21:28

Reported

2022-06-13 02:59

Platform

win7-20220414-en

Max time kernel

60s

Max time network

105s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\certhell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Authput8\\bridkmon.exe" C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1136 set thread context of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1176 set thread context of 1396 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe
PID 1916 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe
PID 1916 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe
PID 1916 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe C:\Windows\system32\svchost.exe
PID 1176 wrote to memory of 1396 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 1176 wrote to memory of 1396 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 1176 wrote to memory of 1396 N/A C:\Windows\system32\svchost.exe C:\Windows\Explorer.EXE
PID 1396 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 860 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 860 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1396 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe

"C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\A9C7\31.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE""

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE""

C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe

"C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\4238.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4238.bi1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bauern-stube.at udp
US 8.8.8.8:53 beads.berlin udp
DE 37.228.156.7:80 beads.berlin tcp
DE 37.228.156.7:443 beads.berlin tcp
DE 37.228.156.7:443 beads.berlin tcp
US 8.8.8.8:53 bastelmichaela.bplaced.net udp
DE 162.55.0.134:80 bastelmichaela.bplaced.net tcp
DE 162.55.0.134:443 bastelmichaela.bplaced.net tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.182:80 apps.identrust.com tcp
US 8.8.8.8:53 bachmann-buam.at udp
DE 193.254.190.17:80 bachmann-buam.at tcp
DE 193.254.190.17:443 bachmann-buam.at tcp
US 8.8.8.8:53 isisobici.it udp
US 8.8.8.8:53 niolan.at udp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 8.8.8.8:53 mogolik.at udp

Files

memory/1120-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

memory/1120-55-0x0000000000380000-0x00000000003DC000-memory.dmp

memory/1120-56-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/1912-57-0x0000000000000000-mapping.dmp

memory/1120-58-0x0000000000400000-0x00000000004A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A9C7\31.bat

MD5 a2cdddf0459419c710893342557b2775
SHA1 eb554d1a1eae3e2e7ac32cb66fced75cf956acda
SHA256 279230c2875214f4ad47a51c9e3eeb45d68241e0a68e172382782ab887d9dcde
SHA512 18215821f37297376f2e9208ffc63afe4bcb1c91a46c94d955a2b6576722aa040a7a168fc31d4d2e0484b9103c3fcde388ce8295c8ad13c028f11c890da9cad6

memory/1916-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe

MD5 f7f9c6d6ca43fe06303cc2dbd0456742
SHA1 2d505875b4e120306259a11dc9f7e4f24030dbc2
SHA256 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA512 74bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1

C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe

MD5 f7f9c6d6ca43fe06303cc2dbd0456742
SHA1 2d505875b4e120306259a11dc9f7e4f24030dbc2
SHA256 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA512 74bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1

memory/1136-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe

MD5 f7f9c6d6ca43fe06303cc2dbd0456742
SHA1 2d505875b4e120306259a11dc9f7e4f24030dbc2
SHA256 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA512 74bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1

memory/1176-66-0x0000000000000000-mapping.dmp

memory/1136-67-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/1136-68-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/1176-69-0x00000000001C0000-0x0000000000252000-memory.dmp

memory/1396-70-0x0000000003C00000-0x0000000003C92000-memory.dmp

memory/860-71-0x0000000000000000-mapping.dmp

memory/1432-72-0x0000000000000000-mapping.dmp

memory/2012-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4238.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

C:\Users\Admin\AppData\Local\Temp\4238.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

memory/1396-76-0x0000000003C00000-0x0000000003C92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 21:28

Reported

2022-06-13 02:59

Platform

win10v2004-20220414-en

Max time kernel

90s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe

"C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 456

Network

Country Destination Domain Proto
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
US 20.189.173.6:443 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp

Files

memory/1708-130-0x0000000002260000-0x00000000022BC000-memory.dmp