gozi_ifsb | 3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666

General

Target

3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe
Size

388KB
MD5

44e4017f47dce2d2925124bb2116166c
SHA1

f5efde405de07ca60afe67ee6f5e53538195fd23
SHA256

3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666
SHA512

be68a64aee0a1d5241012d5cde84432274d08217628ab65e131e842e29c33b382ff5c3b4d390cf4a493b4304ae6ba06f1547e02eb22099b27a85135553cf2a75

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

apprispl.exe

pid process

3112 apprispl.exe

pid	process
3112	apprispl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\capigSup = "C:\\Users\\Admin\\AppData\\Roaming\\Azurives\\apprispl.exe"	3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2668 3112 WerFault.exe apprispl.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

apprispl.exe

pid process

3112 apprispl.exe
3112 apprispl.exe

pid	pid_target	process	target process
2668	3112	WerFault.exe	apprispl.exe

pid	process
3112	apprispl.exe
3112	apprispl.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.execmd.execmd.exeapprispl.exe

description	pid	process	target process
PID 3700 wrote to memory of 1676	3700	3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe	cmd.exe
PID 3700 wrote to memory of 1676	3700	3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe	cmd.exe
PID 3700 wrote to memory of 1676	3700	3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe	cmd.exe
PID 1676 wrote to memory of 5012	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 5012	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 5012	1676	cmd.exe	cmd.exe
PID 5012 wrote to memory of 3112	5012	cmd.exe	apprispl.exe
PID 5012 wrote to memory of 3112	5012	cmd.exe	apprispl.exe
PID 5012 wrote to memory of 3112	5012	cmd.exe	apprispl.exe
PID 3112 wrote to memory of 4604	3112	apprispl.exe	svchost.exe
PID 3112 wrote to memory of 4604	3112	apprispl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe
"C:\Users\Admin\AppData\Local\Temp\3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CD0\10.bat" "C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3A6C4A~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3A6C4A~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
"C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3A6C4A~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 584
5⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3112 -ip 3112
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CD0\10.bat

Filesize
112B

MD5
06216667dabb2cf15d477d710abf8cbc

SHA1
d12ee50603d0fbfee32544e61d9d1787e2bdd2ce

SHA256
3976f4b4445fa1561239bfb67466cc2a12f5564e1de4f38a29642f4307f4ca8d

SHA512
fb7d0180b02b11fecbb86ed4f40236933426e7e34bd2b73145a37969a30e607f5e7b80ac4460b342da1d637cb3503f03b226ea16d56a598188b49fe53dff502e

Download Submit
C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe

Filesize
388KB

MD5
44e4017f47dce2d2925124bb2116166c

SHA1
f5efde405de07ca60afe67ee6f5e53538195fd23

SHA256
3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666

SHA512
be68a64aee0a1d5241012d5cde84432274d08217628ab65e131e842e29c33b382ff5c3b4d390cf4a493b4304ae6ba06f1547e02eb22099b27a85135553cf2a75

Download Submit
C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe

Filesize
388KB

MD5
44e4017f47dce2d2925124bb2116166c

SHA1
f5efde405de07ca60afe67ee6f5e53538195fd23

SHA256
3a6c4a466f072c8fb1b98dad22a2d66b9433261f515fafb21427755b5bd1d666

SHA512
be68a64aee0a1d5241012d5cde84432274d08217628ab65e131e842e29c33b382ff5c3b4d390cf4a493b4304ae6ba06f1547e02eb22099b27a85135553cf2a75

Download Submit
memory/1676-133-0x0000000000000000-mapping.dmp

Download
memory/3112-136-0x0000000000000000-mapping.dmp

Download
memory/3112-139-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3112-141-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/3700-130-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3700-132-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/5012-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads