gozi_ifsb | 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

General

Target

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
Size

388KB
MD5

155203d92c9d8514fdea49e38d796a2d
SHA1

95730596a750676d8649ced7233f2e6da29a7f0f
SHA256

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1
SHA512

6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Actipi32.exe

pid process

888 Actipi32.exe

pid	process
888	Actipi32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe"	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2280 888 WerFault.exe Actipi32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Actipi32.exe

pid process

888 Actipi32.exe
888 Actipi32.exe

pid	pid_target	process	target process
2280	888	WerFault.exe	Actipi32.exe

pid	process
888	Actipi32.exe
888	Actipi32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.execmd.execmd.exeActipi32.exe

description	pid	process	target process
PID 4124 wrote to memory of 4288	4124	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 4124 wrote to memory of 4288	4124	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 4124 wrote to memory of 4288	4124	3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe	cmd.exe
PID 4288 wrote to memory of 1488	4288	cmd.exe	cmd.exe
PID 4288 wrote to memory of 1488	4288	cmd.exe	cmd.exe
PID 4288 wrote to memory of 1488	4288	cmd.exe	cmd.exe
PID 1488 wrote to memory of 888	1488	cmd.exe	Actipi32.exe
PID 1488 wrote to memory of 888	1488	cmd.exe	Actipi32.exe
PID 1488 wrote to memory of 888	1488	cmd.exe	Actipi32.exe
PID 888 wrote to memory of 2336	888	Actipi32.exe	svchost.exe
PID 888 wrote to memory of 2336	888	Actipi32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
"C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4720\10.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 600
5⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 888 -ip 888
1⤵
PID:3908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4720\10.bat
Filesize
112B

MD5
102e807fdd95515902cb686b445e869e

SHA1
5fad4078f070ee93925fae6effcfa77af5cf9f78

SHA256
b55bfc9c093c7b4f4c26e518a3be9282a81c92443a8f0203502c03191ae6bf3d

SHA512
91be15e682a883e7997483b50cc4febaefc180a109e09d6db3caa18730c6ed39c3c4d8b7185064328cb5412316b09eab3ede1aaa04189ded5a5492122ed2d014

Download Submit
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
Filesize
388KB

MD5
155203d92c9d8514fdea49e38d796a2d

SHA1
95730596a750676d8649ced7233f2e6da29a7f0f

SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1

SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea

Download Submit
memory/888-136-0x0000000000000000-mapping.dmp

Download
memory/888-139-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/888-141-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1488-135-0x0000000000000000-mapping.dmp

Download
memory/4124-130-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4124-132-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4288-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads