gozi_ifsb | 2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e

General

Target

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
Size

851KB
MD5

356803d58538c6e67cba97dc1cf50021
SHA1

56a643fd5d4b927cad2b5c7cf9c92103d426344c
SHA256

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e
SHA512

c05207089b1dd8ccd65268e9b2aa948f2df3a2c1d0f714ca24326a27a62fbdcb3fdf4214213c89f781d130850c8ff38422e407f7f807231436956fdc00b5d465

Score

10^/10

gozi_ifsb 92 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

92

C2

http://aaxvkah7dudzoloq.onion

http://mashallah.at

http://anumal-planet.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\bdesthci = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Bitsager\\Audiudrv.exe"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1312 set thread context of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1592 set thread context of 1256	1592	control.exe	Explorer.EXE
PID 1592 set thread context of 948	1592	control.exe	rundll32.exe
PID 1256 set thread context of 1816	1256	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exeExplorer.EXE

pid	process
1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
1256	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXE

pid process

1312 2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
1592 control.exe
1592 control.exe
1256 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1312 wrote to memory of 1592	1312	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 1592 wrote to memory of 1256	1592	control.exe	Explorer.EXE
PID 1592 wrote to memory of 1256	1592	control.exe	Explorer.EXE
PID 1592 wrote to memory of 1256	1592	control.exe	Explorer.EXE
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1592 wrote to memory of 948	1592	control.exe	rundll32.exe
PID 1256 wrote to memory of 1056	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1056	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1056	1256	Explorer.EXE	cmd.exe
PID 1056 wrote to memory of 1040	1056	cmd.exe	nslookup.exe
PID 1056 wrote to memory of 1040	1056	cmd.exe	nslookup.exe
PID 1056 wrote to memory of 1040	1056	cmd.exe	nslookup.exe
PID 1256 wrote to memory of 1680	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1680	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1680	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe
PID 1256 wrote to memory of 1816	1256	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
"C:\Users\Admin\AppData\Local\Temp\2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
4⤵
PID:948

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\80DC.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1040

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80DC.bi1"
2⤵
PID:1680

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80DC.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\80DC.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Bitsager\Audiudrv.exe
Filesize
851KB

MD5
356803d58538c6e67cba97dc1cf50021

SHA1
56a643fd5d4b927cad2b5c7cf9c92103d426344c

SHA256
2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e

SHA512
c05207089b1dd8ccd65268e9b2aa948f2df3a2c1d0f714ca24326a27a62fbdcb3fdf4214213c89f781d130850c8ff38422e407f7f807231436956fdc00b5d465

Download Submit
memory/948-67-0x0000000000000000-mapping.dmp

Download
memory/948-69-0x0000000000480000-0x0000000000531000-memory.dmp

Filesize
708KB

Download
memory/1040-73-0x0000000000000000-mapping.dmp

Download
memory/1056-72-0x0000000000000000-mapping.dmp

Download
memory/1256-71-0x00000000040E0000-0x0000000004191000-memory.dmp

Filesize
708KB

Download
memory/1312-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1312-57-0x0000000002D60000-0x0000000002DAA000-memory.dmp

Filesize
296KB

Download
memory/1312-56-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1312-55-0x0000000002B20000-0x0000000002B53000-memory.dmp

Filesize
204KB

Download
memory/1592-66-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1592-65-0x0000000000270000-0x0000000000321000-memory.dmp

Filesize
708KB

Download
memory/1592-70-0x0000000000270000-0x0000000000321000-memory.dmp

Filesize
708KB

Download
memory/1592-64-0x0000000000000000-mapping.dmp

Download
memory/1680-74-0x0000000000000000-mapping.dmp

Download
memory/1816-77-0x0000000000000000-mapping.dmp

Download
memory/1816-78-0x00000000001E0000-0x0000000000284000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads