gozi_ifsb | 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

General

Target

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Size

493KB
MD5

853b89f711eb10ab73ee8e1ad2f6cb63
SHA1

2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA256

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA512

99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

AcGeecfc.exe

pid process

616 AcGeecfc.exe

pid	process
616	AcGeecfc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Contager = "C:\\Users\\Admin\\AppData\\Roaming\\Bingutil\\AcGeecfc.exe"	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4936 616 WerFault.exe AcGeecfc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AcGeecfc.exe

pid process

616 AcGeecfc.exe
616 AcGeecfc.exe

pid	pid_target	process	target process
4936	616	WerFault.exe	AcGeecfc.exe

pid	process
616	AcGeecfc.exe
616	AcGeecfc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.execmd.execmd.exeAcGeecfc.exe

description	pid	process	target process
PID 1552 wrote to memory of 4804	1552	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 1552 wrote to memory of 4804	1552	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 1552 wrote to memory of 4804	1552	31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe	cmd.exe
PID 4804 wrote to memory of 968	4804	cmd.exe	cmd.exe
PID 4804 wrote to memory of 968	4804	cmd.exe	cmd.exe
PID 4804 wrote to memory of 968	4804	cmd.exe	cmd.exe
PID 968 wrote to memory of 616	968	cmd.exe	AcGeecfc.exe
PID 968 wrote to memory of 616	968	cmd.exe	AcGeecfc.exe
PID 968 wrote to memory of 616	968	cmd.exe	AcGeecfc.exe
PID 616 wrote to memory of 4844	616	AcGeecfc.exe	svchost.exe
PID 616 wrote to memory of 4844	616	AcGeecfc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
"C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B34\33.bat" "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
"C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 564
5⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 616 -ip 616
1⤵
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B34\33.bat
Filesize
112B

MD5
3601077259d59ced658fd99e54ef57d3

SHA1
85c06d387a652e75660a7f0872ee58e9cf25caa5

SHA256
6cba92ffa844205d8fd9d939a55b0932d1198b2627b64cab254980a88468c365

SHA512
034062875050b574632a359051f001693f15e084138cdcf6c49a4d750ece87d99a3df2cd48561483158d6611f17e73c844c8fc40bfe6ef781826fc155ce4c1e9

Download Submit
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
Filesize
493KB

MD5
853b89f711eb10ab73ee8e1ad2f6cb63

SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529

SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
Filesize
493KB

MD5
853b89f711eb10ab73ee8e1ad2f6cb63

SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529

SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec

SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0

Download Submit
memory/616-139-0x0000000000000000-mapping.dmp

Download
memory/616-142-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/616-144-0x0000000000600000-0x0000000000630000-memory.dmp

Filesize
192KB

Download
memory/968-138-0x0000000000000000-mapping.dmp

Download
memory/1552-133-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1552-135-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/4804-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads