gozi_ifsb | 23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b

General

Target

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
Size

390KB
MD5

225ffd144298eb3f220b3847392eedef
SHA1

8adc33c2e0c51d32ec16bd2b6c782bd97a0a9f7d
SHA256

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b
SHA512

92f55d1683c3840a194749dfb2cf81412f3b694d3285b1b08012b745e80662a159f4360a88fb12664abc0da26f08216ab44daa34f72bf0eedcd2df80d9219236

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Loads dropped DLL 1 IoCs

Processes:

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

pid process

1792 23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

pid	process
1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

description	pid	process	target process
PID 1792 set thread context of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

pid process

1792 23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

pid	process
1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

description	pid	process	target process
PID 1792 wrote to memory of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
PID 1792 wrote to memory of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
PID 1792 wrote to memory of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
PID 1792 wrote to memory of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
PID 1792 wrote to memory of 1940	1792	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe	23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe

C:\Users\Admin\AppData\Local\Temp\23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
"C:\Users\Admin\AppData\Local\Temp\23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe
  "C:\Users\Admin\AppData\Local\Temp\23af05e453111d0351229d775dadc076480029fd755616cbd0ac4618dc66772b.exe"
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso4A5B.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/1792-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1792-58-0x0000000000450000-0x000000000049A000-memory.dmp

Filesize
296KB

Download
memory/1940-56-0x00000000004010E7-mapping.dmp

Download
memory/1940-59-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1940-60-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing