gozi_ifsb | 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6

General

Target

29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe
Size

474KB
MD5

695579360bdbdab40a0df450af10628d
SHA1

254c8f577b9f44727de32aa440328ef00955db59
SHA256

29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6
SHA512

9314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Authsvcs.exe

pid process

620 Authsvcs.exe
Deletes itself 1 IoCs

Processes:

Authsvcs.exe

pid process

620 Authsvcs.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1256 cmd.exe

pid	process
620	Authsvcs.exe

pid	process
620	Authsvcs.exe

pid	process
1256	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\catsmifw = "C:\\Users\\Admin\\AppData\\Roaming\\cfgbmime\\Authsvcs.exe"	29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Authsvcs.exesvchost.exe

description	pid	process	target process
PID 620 set thread context of 1412	620	Authsvcs.exe	svchost.exe
PID 1412 set thread context of 1220	1412	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Authsvcs.exeExplorer.EXE

pid process

620 Authsvcs.exe
1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Authsvcs.exesvchost.exe

pid process

620 Authsvcs.exe
1412 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
620	Authsvcs.exe
1220	Explorer.EXE

pid	process
620	Authsvcs.exe
1412	svchost.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.execmd.execmd.exeAuthsvcs.exesvchost.exe

description	pid	process	target process
PID 1700 wrote to memory of 1264	1700	29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe	cmd.exe
PID 1264 wrote to memory of 1256	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 1256	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 1256	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 1256	1264	cmd.exe	cmd.exe
PID 1256 wrote to memory of 620	1256	cmd.exe	Authsvcs.exe
PID 1256 wrote to memory of 620	1256	cmd.exe	Authsvcs.exe
PID 1256 wrote to memory of 620	1256	cmd.exe	Authsvcs.exe
PID 1256 wrote to memory of 620	1256	cmd.exe	Authsvcs.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 620 wrote to memory of 1412	620	Authsvcs.exe	svchost.exe
PID 1412 wrote to memory of 1220	1412	svchost.exe	Explorer.EXE
PID 1412 wrote to memory of 1220	1412	svchost.exe	Explorer.EXE
PID 1412 wrote to memory of 1220	1412	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Users\Admin\AppData\Local\Temp\29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe
"C:\Users\Admin\AppData\Local\Temp\29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1B32\31.bat" "C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
"C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B32\31.bat
Filesize
108B

MD5
2471f00d95666c0e4a7c8c0678b7914d

SHA1
e27a00342fca0f7b49eb0ea5f79247361da280d7

SHA256
95c2cc16f6e1c15e856319b26243869e876926b4863a61491c142edd3d55ffdc

SHA512
a3e31127c9ef235e9f7a8c612824301a76f6e61e66e2516c8b7864bd8b52142f71d770f4e4902aafe309b57dafa7c2222175f9a78dd98342dcd50a8b64230438

Download Submit
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
Filesize
474KB

MD5
695579360bdbdab40a0df450af10628d

SHA1
254c8f577b9f44727de32aa440328ef00955db59

SHA256
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6

SHA512
9314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed

Download Submit
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
Filesize
474KB

MD5
695579360bdbdab40a0df450af10628d

SHA1
254c8f577b9f44727de32aa440328ef00955db59

SHA256
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6

SHA512
9314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed

Download Submit
\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
Filesize
474KB

MD5
695579360bdbdab40a0df450af10628d

SHA1
254c8f577b9f44727de32aa440328ef00955db59

SHA256
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6

SHA512
9314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed

Download Submit
memory/620-63-0x0000000000000000-mapping.dmp

Download
memory/620-66-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/620-68-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1220-72-0x0000000002AC0000-0x0000000002B35000-memory.dmp

Filesize
468KB

Download
memory/1220-73-0x0000000002AC0000-0x0000000002B35000-memory.dmp

Filesize
468KB

Download
memory/1256-60-0x0000000000000000-mapping.dmp

Download
memory/1264-58-0x0000000000000000-mapping.dmp

Download
memory/1412-69-0x0000000000000000-mapping.dmp

Download
memory/1412-70-0x00000000003C0000-0x0000000000435000-memory.dmp

Filesize
468KB

Download
memory/1412-71-0x00000000003C0000-0x0000000000435000-memory.dmp

Filesize
468KB

Download
memory/1700-57-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1700-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1700-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads