gozi_ifsb | 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77

General

Target

2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe
Size

351KB
MD5

0a32c9e785df05c1c8de665952434a35
SHA1

4e0a8e28795ec8e6bae272bf75a8d7a2b138f56f
SHA256

2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77
SHA512

924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

AcGeecfc.exe

pid process

1564 AcGeecfc.exe

pid	process
1564	AcGeecfc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Contager = "C:\\Users\\Admin\\AppData\\Roaming\\Bingutil\\AcGeecfc.exe"	2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2704 1564 WerFault.exe AcGeecfc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AcGeecfc.exe

pid process

1564 AcGeecfc.exe
1564 AcGeecfc.exe

pid	pid_target	process	target process
2704	1564	WerFault.exe	AcGeecfc.exe

pid	process
1564	AcGeecfc.exe
1564	AcGeecfc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.execmd.execmd.exeAcGeecfc.exe

description	pid	process	target process
PID 760 wrote to memory of 1688	760	2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe	cmd.exe
PID 760 wrote to memory of 1688	760	2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe	cmd.exe
PID 760 wrote to memory of 1688	760	2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe	cmd.exe
PID 1688 wrote to memory of 1492	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 1492	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 1492	1688	cmd.exe	cmd.exe
PID 1492 wrote to memory of 1564	1492	cmd.exe	AcGeecfc.exe
PID 1492 wrote to memory of 1564	1492	cmd.exe	AcGeecfc.exe
PID 1492 wrote to memory of 1564	1492	cmd.exe	AcGeecfc.exe
PID 1564 wrote to memory of 1644	1564	AcGeecfc.exe	svchost.exe
PID 1564 wrote to memory of 1644	1564	AcGeecfc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe
"C:\Users\Admin\AppData\Local\Temp\2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CE41\51.bat" "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
"C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 560
5⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1564 -ip 1564
1⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CE41\51.bat
Filesize
112B

MD5
3a023866bfe9b109657985281f667276

SHA1
22c0c5753d9296dfe1e7c0f0aab433423c06c47e

SHA256
832507ddea51d78a5224d1cc73ba92158440e9e665250f25ab09fb11770a8907

SHA512
79cc19e2b76224faf4d67dccd89e7dd590e348e9ac892d0ae564cc708f0cf3f5196c66cdf6b0a94fc103427f4d1091665df5585fd05a982ed69f4df02810093d

Download Submit
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
Filesize
351KB

MD5
0a32c9e785df05c1c8de665952434a35

SHA1
4e0a8e28795ec8e6bae272bf75a8d7a2b138f56f

SHA256
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77

SHA512
924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85

Download Submit
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
Filesize
351KB

MD5
0a32c9e785df05c1c8de665952434a35

SHA1
4e0a8e28795ec8e6bae272bf75a8d7a2b138f56f

SHA256
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77

SHA512
924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85

Download Submit
memory/760-130-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/760-132-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/1492-135-0x0000000000000000-mapping.dmp

Download
memory/1564-136-0x0000000000000000-mapping.dmp

Download
memory/1564-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1564-141-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/1688-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads