gozi_ifsb | 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2

General

Target

32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe
Size

474KB
MD5

34edc1d95226bd29e8e9072da1855f28
SHA1

c68352f6607134fb0b5686263397deda8f434cb0
SHA256

32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2
SHA512

5c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Audirvps.exe

pid process

2580 Audirvps.exe

pid	process
2580	Audirvps.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipmlua = "C:\\Users\\Admin\\AppData\\Roaming\\AppMtngc\\Audirvps.exe"	32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3280 2580 WerFault.exe Audirvps.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Audirvps.exe

pid process

2580 Audirvps.exe
2580 Audirvps.exe

pid	pid_target	process	target process
3280	2580	WerFault.exe	Audirvps.exe

pid	process
2580	Audirvps.exe
2580	Audirvps.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.execmd.execmd.exeAudirvps.exe

description	pid	process	target process
PID 1456 wrote to memory of 2040	1456	32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe	cmd.exe
PID 1456 wrote to memory of 2040	1456	32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe	cmd.exe
PID 1456 wrote to memory of 2040	1456	32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe	cmd.exe
PID 2040 wrote to memory of 4004	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 4004	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 4004	2040	cmd.exe	cmd.exe
PID 4004 wrote to memory of 2580	4004	cmd.exe	Audirvps.exe
PID 4004 wrote to memory of 2580	4004	cmd.exe	Audirvps.exe
PID 4004 wrote to memory of 2580	4004	cmd.exe	Audirvps.exe
PID 2580 wrote to memory of 4896	2580	Audirvps.exe	svchost.exe
PID 2580 wrote to memory of 4896	2580	Audirvps.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe
"C:\Users\Admin\AppData\Local\Temp\32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\738\839C.bat" "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
"C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 572
5⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2580 -ip 2580
1⤵
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\738\839C.bat
Filesize
112B

MD5
aad552cdaafbdaeb4c849d1c2fa18052

SHA1
5c416a3789df373fb7257556f95a94b15569a736

SHA256
5fda6bd6f786f540d8db34a0d9ac33e70e05e8bfff7db6348f64596a4cd14efd

SHA512
bc8860c455e5cf6de86a9ace1ce85a80f510cdac65626f5f22793fbe69607c72cdecbfc3701b19ec60b595783e2220e3afd3f1e17dcecbc368054372737b0f15

Download Submit
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
Filesize
474KB

MD5
34edc1d95226bd29e8e9072da1855f28

SHA1
c68352f6607134fb0b5686263397deda8f434cb0

SHA256
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2

SHA512
5c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047

Download Submit
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
Filesize
474KB

MD5
34edc1d95226bd29e8e9072da1855f28

SHA1
c68352f6607134fb0b5686263397deda8f434cb0

SHA256
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2

SHA512
5c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047

Download Submit
memory/1456-131-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/1456-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1456-134-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/2040-133-0x0000000000000000-mapping.dmp

Download
memory/2580-137-0x0000000000000000-mapping.dmp

Download
memory/2580-140-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2580-142-0x00000000020A0000-0x00000000020D0000-memory.dmp

Filesize
192KB

Download
memory/4004-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads