Analysis

  • max time kernel
    155s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15/06/2022, 01:44

General

  • Target

    2b9172252061b17a9766a119ae34a2775cf52b3378a73319ba269cad5f177457.exe

  • Size

    435KB

  • MD5

    7783e2f29716653c0158494c00caf0a1

  • SHA1

    714a7bde778d8b5db88e55401699fcda664027a4

  • SHA256

    2b9172252061b17a9766a119ae34a2775cf52b3378a73319ba269cad5f177457

  • SHA512

    58b215c4e9120987090ebbc38b9b5b76135948b490340fdaed45dd6cc0358cb862bc891d3aaee88a4d5994a3144480510dcf46efcc02ca152b3df29d36036d64

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    214107

Extracted

Family

gozi_ifsb

Botnet

3533

C2

gmail.com

google.com

s82dortha27r.top

qcnick5990.top

sd6eb.com

Attributes
  • build

    214107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b9172252061b17a9766a119ae34a2775cf52b3378a73319ba269cad5f177457.exe
    "C:\Users\Admin\AppData\Local\Temp\2b9172252061b17a9766a119ae34a2775cf52b3378a73319ba269cad5f177457.exe"
    1⤵
      PID:3284
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2132
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2012
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:868
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3216
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4024 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4132

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3284-130-0x0000000000210000-0x0000000001289000-memory.dmp

              Filesize

              16.5MB

            • memory/3284-131-0x0000000000210000-0x000000000021E000-memory.dmp

              Filesize

              56KB

            • memory/3284-132-0x0000000000210000-0x0000000001289000-memory.dmp

              Filesize

              16.5MB

            • memory/3284-133-0x0000000001740000-0x000000000174F000-memory.dmp

              Filesize

              60KB