gozi_ifsb | 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

General

Target

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Size

493KB
MD5

853b89f711eb10ab73ee8e1ad2f6cb63
SHA1

2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA256

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA512

99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

amxredit.exe

pid process

2024 amxredit.exe
Deletes itself 1 IoCs

Processes:

amxredit.exe

pid process

2024 amxredit.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe

pid	process
2024	amxredit.exe

pid	process
2024	amxredit.exe

pid	process
1996	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audial32 = "C:\\Users\\Admin\\AppData\\Roaming\\Audiient\\amxredit.exe"	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

amxredit.exesvchost.exe

description	pid	process	target process
PID 2024 set thread context of 992	2024	amxredit.exe	svchost.exe
PID 992 set thread context of 1320	992	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

amxredit.exeExplorer.EXE

pid process

2024 amxredit.exe
1320 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

amxredit.exesvchost.exe

pid process

2024 amxredit.exe
992 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE

pid	process
2024	amxredit.exe
1320	Explorer.EXE

pid	process
2024	amxredit.exe
992	svchost.exe

pid	process
1320	Explorer.EXE
1320	Explorer.EXE

pid	process
1320	Explorer.EXE
1320	Explorer.EXE

pid	process
1320	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.execmd.execmd.exeamxredit.exesvchost.exe

description	pid	process	target process
PID 1932 wrote to memory of 2040	1932	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 1932 wrote to memory of 2040	1932	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 1932 wrote to memory of 2040	1932	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 1932 wrote to memory of 2040	1932	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 2040 wrote to memory of 1996	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1996	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1996	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1996	2040	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2024	1996	cmd.exe	amxredit.exe
PID 1996 wrote to memory of 2024	1996	cmd.exe	amxredit.exe
PID 1996 wrote to memory of 2024	1996	cmd.exe	amxredit.exe
PID 1996 wrote to memory of 2024	1996	cmd.exe	amxredit.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 2024 wrote to memory of 992	2024	amxredit.exe	svchost.exe
PID 992 wrote to memory of 1320	992	svchost.exe	Explorer.EXE
PID 992 wrote to memory of 1320	992	svchost.exe	Explorer.EXE
PID 992 wrote to memory of 1320	992	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
"C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4888\2444.bat" "C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
"C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4888\2444.bat
Filesize
108B

MD5
309e7e712ff0be0c0957c5dbf70db78d

SHA1
fd5fd60c61ef48c03e21bfb5c615ba695f107a7f

SHA256
a3951aaa3751251519493fac1d6f6a7c0dcabf22ee9377bb86a7107e1f13e516

SHA512
2f6273a945e86421695a839c438b44b1fe4b306c953374ddde8e461525215eab87161bbbd4043458dbf93500d6f07d8531127c85b15b968ea3bdc40b7813ebfd

Download Submit
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
493KB

MD5
853b89f711eb10ab73ee8e1ad2f6cb63

SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529

SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
493KB

MD5
853b89f711eb10ab73ee8e1ad2f6cb63

SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529

SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Download Submit
\Users\Admin\AppData\Roaming\Audiient\amxredit.exe
Filesize
493KB

MD5
853b89f711eb10ab73ee8e1ad2f6cb63

SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529

SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Download Submit
memory/992-70-0x0000000000380000-0x00000000003F5000-memory.dmp

Filesize
468KB

Download
memory/992-69-0x0000000000000000-mapping.dmp

Download
memory/1320-72-0x0000000002B90000-0x0000000002C05000-memory.dmp

Filesize
468KB

Download
memory/1320-71-0x0000000002B90000-0x0000000002C05000-memory.dmp

Filesize
468KB

Download
memory/1932-55-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1932-57-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1996-60-0x0000000000000000-mapping.dmp

Download
memory/2024-63-0x0000000000000000-mapping.dmp

Download
memory/2024-68-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads