gozi_ifsb | 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3

General

Target

2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe
Size

361KB
MD5

89fcd562f34d2b8aac582c852c85b2ae
SHA1

bf816e7b9be16330f8fd74585ba81821d5b76626
SHA256

2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
SHA512

83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Actipi32.exe

pid process

2264 Actipi32.exe

pid	process
2264	Actipi32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe"	2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4416 2264 WerFault.exe Actipi32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Actipi32.exe

pid process

2264 Actipi32.exe
2264 Actipi32.exe

pid	pid_target	process	target process
4416	2264	WerFault.exe	Actipi32.exe

pid	process
2264	Actipi32.exe
2264	Actipi32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.execmd.execmd.exeActipi32.exe

description	pid	process	target process
PID 4460 wrote to memory of 4968	4460	2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe	cmd.exe
PID 4460 wrote to memory of 4968	4460	2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe	cmd.exe
PID 4460 wrote to memory of 4968	4460	2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe	cmd.exe
PID 4968 wrote to memory of 392	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 392	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 392	4968	cmd.exe	cmd.exe
PID 392 wrote to memory of 2264	392	cmd.exe	Actipi32.exe
PID 392 wrote to memory of 2264	392	cmd.exe	Actipi32.exe
PID 392 wrote to memory of 2264	392	cmd.exe	Actipi32.exe
PID 2264 wrote to memory of 828	2264	Actipi32.exe	svchost.exe
PID 2264 wrote to memory of 828	2264	Actipi32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe
"C:\Users\Admin\AppData\Local\Temp\2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76AC\BB65.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 560
5⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2264 -ip 2264
1⤵
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76AC\BB65.bat
Filesize
112B

MD5
f44fb8160e32ca728821611501d366f3

SHA1
b8ed29184e1f1e5d99243ed7b84ac1c5be0378a1

SHA256
5fa3ab7279fdfafa35a04ea18c4d5f700e051f9419e0827df802f993793aba08

SHA512
8f823dc53aba79844778c1a940baff4901f9d77def0258020d9fcb1df0a72f1d8ec5976b8c70bee0160b3ae6d1577daedc2f8acebc55b19f11628dd15077129b

Download Submit
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
Filesize
361KB

MD5
89fcd562f34d2b8aac582c852c85b2ae

SHA1
bf816e7b9be16330f8fd74585ba81821d5b76626

SHA256
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3

SHA512
83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14

Download Submit
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
Filesize
361KB

MD5
89fcd562f34d2b8aac582c852c85b2ae

SHA1
bf816e7b9be16330f8fd74585ba81821d5b76626

SHA256
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3

SHA512
83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14

Download Submit
memory/392-135-0x0000000000000000-mapping.dmp

Download
memory/2264-136-0x0000000000000000-mapping.dmp

Download
memory/2264-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2264-141-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/4460-130-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4460-132-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/4968-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads