gozi_ifsb | 3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c

General

Target

3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe
Size

477KB
MD5

f6162f7578e8ffa56bb77ef2c285a075
SHA1

eedc00b3acf3b31bd28623fa1e892328556661a2
SHA256

3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c
SHA512

c05851bc72c044c53c4e4b6363faa5914b1466c4302a1d7e7881578c9e1f755cdb2db4e8e0ecb0153f660a0752286abda941dcba11e810f827c3a56110e8c0a3

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214963

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

bidiprov.exe

pid process

1504 bidiprov.exe
Deletes itself 1 IoCs

Processes:

bidiprov.exe

pid process

1504 bidiprov.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

960 cmd.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
1504	bidiprov.exe

pid	process
1504	bidiprov.exe

pid	process
960	cmd.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\actian32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\COLOorui\\bidiprov.exe"	3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bidiprov.exesvchost.exe

description	pid	process	target process
PID 1504 set thread context of 1464	1504	bidiprov.exe	svchost.exe
PID 1464 set thread context of 1196	1464	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bidiprov.exeExplorer.EXE

pid process

1504 bidiprov.exe
1196 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bidiprov.exesvchost.exe

pid process

1504 bidiprov.exe
1464 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE

pid	process
1504	bidiprov.exe
1196	Explorer.EXE

pid	process
1504	bidiprov.exe
1464	svchost.exe

pid	process
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.execmd.execmd.exebidiprov.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1868 wrote to memory of 1340	1868	3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe	cmd.exe
PID 1868 wrote to memory of 1340	1868	3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe	cmd.exe
PID 1868 wrote to memory of 1340	1868	3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe	cmd.exe
PID 1868 wrote to memory of 1340	1868	3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe	cmd.exe
PID 1340 wrote to memory of 960	1340	cmd.exe	cmd.exe
PID 1340 wrote to memory of 960	1340	cmd.exe	cmd.exe
PID 1340 wrote to memory of 960	1340	cmd.exe	cmd.exe
PID 1340 wrote to memory of 960	1340	cmd.exe	cmd.exe
PID 960 wrote to memory of 1504	960	cmd.exe	bidiprov.exe
PID 960 wrote to memory of 1504	960	cmd.exe	bidiprov.exe
PID 960 wrote to memory of 1504	960	cmd.exe	bidiprov.exe
PID 960 wrote to memory of 1504	960	cmd.exe	bidiprov.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1504 wrote to memory of 1464	1504	bidiprov.exe	svchost.exe
PID 1464 wrote to memory of 1196	1464	svchost.exe	Explorer.EXE
PID 1464 wrote to memory of 1196	1464	svchost.exe	Explorer.EXE
PID 1464 wrote to memory of 1196	1464	svchost.exe	Explorer.EXE
PID 1196 wrote to memory of 432	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 432	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 432	1196	Explorer.EXE	cmd.exe
PID 432 wrote to memory of 1532	432	cmd.exe	nslookup.exe
PID 432 wrote to memory of 1532	432	cmd.exe	nslookup.exe
PID 432 wrote to memory of 1532	432	cmd.exe	nslookup.exe
PID 1196 wrote to memory of 1564	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1564	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1564	1196	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe
  "C:\Users\Admin\AppData\Local\Temp\3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\3C43\10.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\335452~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\335452~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\335452~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1464
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6D50.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D50.bi1"
  2⤵
  PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C43\10.bat

Filesize
108B

MD5
aae23de971abc5315af5192b31cea3c5

SHA1
5405320146d23b2c9ae71a8ef2e2fd7bb0b17044

SHA256
715c778a30c1c0d8de241f108f210d46a6af0d824dddc2ce23bbf22db0b7ab55

SHA512
ef632bf95c1322c8957d8198f309257f7c402efb8c5b433f11a0aac045abefb8b4f5cd2aee77a923ce515e8939e28606fc332e1d48cac07f3c86e4f1670a3a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D50.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D50.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
477KB

MD5
f6162f7578e8ffa56bb77ef2c285a075

SHA1
eedc00b3acf3b31bd28623fa1e892328556661a2

SHA256
3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c

SHA512
c05851bc72c044c53c4e4b6363faa5914b1466c4302a1d7e7881578c9e1f755cdb2db4e8e0ecb0153f660a0752286abda941dcba11e810f827c3a56110e8c0a3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
477KB

MD5
f6162f7578e8ffa56bb77ef2c285a075

SHA1
eedc00b3acf3b31bd28623fa1e892328556661a2

SHA256
3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c

SHA512
c05851bc72c044c53c4e4b6363faa5914b1466c4302a1d7e7881578c9e1f755cdb2db4e8e0ecb0153f660a0752286abda941dcba11e810f827c3a56110e8c0a3

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
477KB

MD5
f6162f7578e8ffa56bb77ef2c285a075

SHA1
eedc00b3acf3b31bd28623fa1e892328556661a2

SHA256
3354522abf0ba5c25fd93ef52cde13557584d6f2264daafc169c5f37ba08013c

SHA512
c05851bc72c044c53c4e4b6363faa5914b1466c4302a1d7e7881578c9e1f755cdb2db4e8e0ecb0153f660a0752286abda941dcba11e810f827c3a56110e8c0a3

Download Submit
memory/432-71-0x0000000000000000-mapping.dmp

Download
memory/960-60-0x0000000000000000-mapping.dmp

Download
memory/1196-70-0x0000000003FB0000-0x0000000004042000-memory.dmp

Filesize
584KB

Download
memory/1196-76-0x0000000003FB0000-0x0000000004042000-memory.dmp

Filesize
584KB

Download
memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1464-67-0x0000000000000000-mapping.dmp

Download
memory/1464-69-0x00000000003F0000-0x0000000000482000-memory.dmp

Filesize
584KB

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1504-66-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1504-68-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1532-72-0x0000000000000000-mapping.dmp

Download
memory/1564-73-0x0000000000000000-mapping.dmp

Download
memory/1868-58-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1868-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1868-55-0x0000000000270000-0x00000000002CD000-memory.dmp

Filesize
372KB

Download
memory/1868-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads