gozi_ifsb | 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

General

Target

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
Size

388KB
MD5

155203d92c9d8514fdea49e38d796a2d
SHA1

95730596a750676d8649ced7233f2e6da29a7f0f
SHA256

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1
SHA512

6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

amxredit.exe

pid process

2040 amxredit.exe
Deletes itself 1 IoCs

Processes:

amxredit.exe

pid process

2040 amxredit.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1720 cmd.exe
1720 cmd.exe

pid	process
2040	amxredit.exe

pid	process
2040	amxredit.exe

pid	process
1720	cmd.exe
1720	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audial32 = "C:\\Users\\Admin\\AppData\\Roaming\\Audiient\\amxredit.exe"	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

amxredit.exesvchost.exe

description	pid	process	target process
PID 2040 set thread context of 2004	2040	amxredit.exe	svchost.exe
PID 2004 set thread context of 1304	2004	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

amxredit.exeExplorer.EXE

pid process

2040 amxredit.exe
1304 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

amxredit.exesvchost.exe

pid process

2040 amxredit.exe
2004 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE

pid	process
2040	amxredit.exe
1304	Explorer.EXE

pid	process
2040	amxredit.exe
2004	svchost.exe

pid	process
1304	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.execmd.execmd.exeamxredit.exesvchost.exe

description	pid	process	target process
PID 1964 wrote to memory of 1312	1964	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 1964 wrote to memory of 1312	1964	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 1964 wrote to memory of 1312	1964	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 1964 wrote to memory of 1312	1964	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 1312 wrote to memory of 1720	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1720	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1720	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1720	1312	cmd.exe	cmd.exe
PID 1720 wrote to memory of 2040	1720	cmd.exe	amxredit.exe
PID 1720 wrote to memory of 2040	1720	cmd.exe	amxredit.exe
PID 1720 wrote to memory of 2040	1720	cmd.exe	amxredit.exe
PID 1720 wrote to memory of 2040	1720	cmd.exe	amxredit.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2040 wrote to memory of 2004	2040	amxredit.exe	svchost.exe
PID 2004 wrote to memory of 1304	2004	svchost.exe	Explorer.EXE
PID 2004 wrote to memory of 1304	2004	svchost.exe	Explorer.EXE
PID 2004 wrote to memory of 1304	2004	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
"C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D6C2\6B61.bat" "C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
"C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D6C2\6B61.bat
Filesize
108B

MD5
d12a7a82311e1dd51e746b3af566fd63

SHA1
cbba03204fbf23992505a77c0c3f019b07f80aba

SHA256
26f0b60d95a4c036e812a6e04bfaa38c81a72c953771c9199213506c4496145c

SHA512
26f7a15333ce7f95dfc980ba76675d90d5d64a3d0b08ffa5fb71b77740b99944aac158fe79a9dca4a19cd4bbef47a169a3f26a22e9652c7b15c1a59ebae1f1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
memory/1304-74-0x00000000025F0000-0x0000000002665000-memory.dmp

Filesize
468KB

Download
memory/1304-73-0x00000000025F0000-0x0000000002665000-memory.dmp

Filesize
468KB

Download
memory/1312-58-0x0000000000000000-mapping.dmp

Download
memory/1720-60-0x0000000000000000-mapping.dmp

Download
memory/1964-57-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1964-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-71-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download
memory/2004-70-0x0000000000000000-mapping.dmp

Download
memory/2004-72-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download
memory/2040-69-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2040-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2040-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads