gozi_ifsb | 2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e

General

Target

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
Size

851KB
MD5

356803d58538c6e67cba97dc1cf50021
SHA1

56a643fd5d4b927cad2b5c7cf9c92103d426344c
SHA256

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e
SHA512

c05207089b1dd8ccd65268e9b2aa948f2df3a2c1d0f714ca24326a27a62fbdcb3fdf4214213c89f781d130850c8ff38422e407f7f807231436956fdc00b5d465

Score

10^/10

gozi_ifsb 92 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

92

C2

http://aaxvkah7dudzoloq.onion

http://mashallah.at

http://anumal-planet.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfshngle = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypider\\bridclen.exe"	Explorer.EXE

Suspicious use of SetThreadContext 7 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2236 set thread context of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 4732 set thread context of 3148	4732	control.exe	Explorer.EXE
PID 3148 set thread context of 3636	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 set thread context of 3864	3148	Explorer.EXE	RuntimeBroker.exe
PID 4732 set thread context of 4232	4732	control.exe	rundll32.exe
PID 3148 set thread context of 4516	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 set thread context of 3084	3148	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exeExplorer.EXE

pid	process
2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE

pid	process
3148	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXE

pid	process
2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
4732	control.exe
3148	Explorer.EXE
3148	Explorer.EXE
4732	control.exe
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3636	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE

pid	process
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 2236 wrote to memory of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 2236 wrote to memory of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 2236 wrote to memory of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 2236 wrote to memory of 4732	2236	2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe	control.exe
PID 4732 wrote to memory of 3148	4732	control.exe	Explorer.EXE
PID 4732 wrote to memory of 3148	4732	control.exe	Explorer.EXE
PID 4732 wrote to memory of 3148	4732	control.exe	Explorer.EXE
PID 3148 wrote to memory of 3636	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3636	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3636	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3864	3148	Explorer.EXE	RuntimeBroker.exe
PID 4732 wrote to memory of 4232	4732	control.exe	rundll32.exe
PID 4732 wrote to memory of 4232	4732	control.exe	rundll32.exe
PID 4732 wrote to memory of 4232	4732	control.exe	rundll32.exe
PID 3148 wrote to memory of 3864	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3864	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4516	3148	Explorer.EXE	RuntimeBroker.exe
PID 4732 wrote to memory of 4232	4732	control.exe	rundll32.exe
PID 4732 wrote to memory of 4232	4732	control.exe	rundll32.exe
PID 3148 wrote to memory of 4516	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4516	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 1304	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 1304	3148	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 4392	1304	cmd.exe	nslookup.exe
PID 1304 wrote to memory of 4392	1304	cmd.exe	nslookup.exe
PID 3148 wrote to memory of 4384	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4384	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3084	3148	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe
"C:\Users\Admin\AppData\Local\Temp\2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
4⤵
PID:4232

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6B0F.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:4392

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6B0F.bi1"
2⤵
PID:4384

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B0F.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B0F.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypider\bridclen.exe
Filesize
851KB

MD5
356803d58538c6e67cba97dc1cf50021

SHA1
56a643fd5d4b927cad2b5c7cf9c92103d426344c

SHA256
2cd9bc76624eebb8dd89600ca372b1de083a96d8e868eda0e974a7b2f58fc14e

SHA512
c05207089b1dd8ccd65268e9b2aa948f2df3a2c1d0f714ca24326a27a62fbdcb3fdf4214213c89f781d130850c8ff38422e407f7f807231436956fdc00b5d465

Download Submit
memory/1304-149-0x0000000000000000-mapping.dmp

Download
memory/2236-131-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2236-132-0x00000000022D0000-0x000000000231A000-memory.dmp

Filesize
296KB

Download
memory/2236-130-0x0000000002DC0000-0x0000000002DF3000-memory.dmp

Filesize
204KB

Download
memory/3084-156-0x00000000013A0000-0x0000000001444000-memory.dmp

Filesize
656KB

Download
memory/3084-155-0x0000000000036B20-0x0000000000036B24-memory.dmp

Filesize
4B

Download
memory/3084-154-0x0000000000000000-mapping.dmp

Download
memory/3148-145-0x0000000002F80000-0x0000000003031000-memory.dmp

Filesize
708KB

Download
memory/3636-146-0x0000017C29440000-0x0000017C294F1000-memory.dmp

Filesize
708KB

Download
memory/3864-147-0x0000020383700000-0x00000203837B1000-memory.dmp

Filesize
708KB

Download
memory/4232-143-0x00000187C8B00000-0x00000187C8BB1000-memory.dmp

Filesize
708KB

Download
memory/4232-142-0x0000000000000000-mapping.dmp

Download
memory/4384-151-0x0000000000000000-mapping.dmp

Download
memory/4392-150-0x0000000000000000-mapping.dmp

Download
memory/4516-148-0x00000225E6680000-0x00000225E6731000-memory.dmp

Filesize
708KB

Download
memory/4732-144-0x0000000000C90000-0x0000000000D41000-memory.dmp

Filesize
708KB

Download
memory/4732-140-0x0000000000C90000-0x0000000000D41000-memory.dmp

Filesize
708KB

Download
memory/4732-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads