gozi_ifsb | ef8401bbced442697964c5f58d4312ce9c08881a2a3f5982a643f4856591f4d2

General

Target

ef8401bbced442697964c5f58d4312ce9c08881a2a3f5982a643f4856591f4d2.exe
Size

1.8MB
MD5

938b6b238e4db39d4849b32755dbffd0
SHA1

f51757be269296835eb54c93d110c1d1ef72863a
SHA256

ef8401bbced442697964c5f58d4312ce9c08881a2a3f5982a643f4856591f4d2
SHA512

cc9c99334aa522b9a6e87df163c20f81511b27ea84af1c719bb05a1c03d63e6bd0c81d50a7caeb5f33b0b4131b26aed750a177aaab997d3021a01e15ba78a6b3

Score

10^/10

gozi_ifsb 3493 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214098

Extracted

Family

gozi_ifsb

Botnet

3493

C2

google.com

gmail.com

lsammietf53.com

p28u70webster.com

ploi7260m71.com

Attributes

build
214098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff0000000000200000000001066000000010000200000002f40f167be738a8612f1a9c026a71eb604adbb70bc89c764898f331facbe5fe6000000000e8000000002000020000000d7234dee4eb3b4be4fd0c682c4e1082eb701dfdd9e078a5e5e25bafe2559a14d2000000064bfa99e2490e4102fc0e6d7c9afb4304a14f7aa1a1232d729ed9ef2c419a6a64000000011794dc8e24943feba1505458ea2e7420af83c874b86e72e5b270d810319c8d6b7120ab565f3f7a649f34dbeb301901a6e1dbef40ec291f6db8f1e16cc993b13	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106bd0b41f8dd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D60BCDD5-F912-11EC-B274-66F9B3FFC396} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000067c65488876090310e1eda6c2b193c2b35bc357bfa4bd1bedc46d681543bd6a000000000e8000000002000020000000dd6747127facc8dba7f3ca6eed285f2853a27b8633fd9eaae3924b2da64d311020000000d30273b0f048d1b60e21dc049764c25833e4e36b99ccd331f31111ad75bfc854400000009a502fdbeb20ec1a8b33f9e70dfbf60c526c10541d01023c457895b72e0aa6b5d905233007eb8c823a0658845f31d7b00dd754eb8ceaea6e94ecd8c3522c18a8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f70dd31f8dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000c2520d84e70dabc9fb7417aa94427867525f1fa25cbe45a26ec090374d845ff9000000000e800000000200002000000040b0aaf2286c2ddced94b8c8f3d3de8a9df28d891394b108258b7ceb373549122000000022b1ef5df0e6b44362f03c6038cf3c0abcfc4fb7054a8f7390a758a44e2c9dc9400000008d032c6629057a6f7e7e5d54ba06656475044b27b6bb9eeff0477010ea7c003a85771e51421a2e12d558ea151f76b31886a22553086caf08041822a8793243c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b996c21f8dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0CB95CB7-F913-11EC-B274-66F9B3FFC396} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01f14b41f8dd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000096e345edf857c3e396d4e015f16b81248755b5f370dadf05c25af54b0ce054a7000000000e80000000020000200000000fc6a024cf7b7eccf4c00cde349ec76b47b1f59c07f464cfeed2a46220bbb9bf200000002ae6956db678f357800e6913476a390a0e360a047c8b13274f06b7c458e3a76940000000ddc545b70b0ec4db1923ad780a3d9e4201bec1960a0c0ad22d2ef7868585fb1894638c785cd8d7b14b432eab94a6b45227f1d9d198c416562fe87f0600e0a7fa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5B3A627-F912-11EC-B274-66F9B3FFC396} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

4264 iexplore.exe
5104 iexplore.exe
3664 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4264	iexplore.exe
4264	iexplore.exe
4176	IEXPLORE.EXE
4176	IEXPLORE.EXE
5104	iexplore.exe
5104	iexplore.exe
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
3664	iexplore.exe
3664	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4264 wrote to memory of 4176	4264	iexplore.exe	IEXPLORE.EXE
PID 4264 wrote to memory of 4176	4264	iexplore.exe	IEXPLORE.EXE
PID 4264 wrote to memory of 4176	4264	iexplore.exe	IEXPLORE.EXE
PID 5104 wrote to memory of 2304	5104	iexplore.exe	IEXPLORE.EXE
PID 5104 wrote to memory of 2304	5104	iexplore.exe	IEXPLORE.EXE
PID 5104 wrote to memory of 2304	5104	iexplore.exe	IEXPLORE.EXE
PID 3664 wrote to memory of 1692	3664	iexplore.exe	IEXPLORE.EXE
PID 3664 wrote to memory of 1692	3664	iexplore.exe	IEXPLORE.EXE
PID 3664 wrote to memory of 1692	3664	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ef8401bbced442697964c5f58d4312ce9c08881a2a3f5982a643f4856591f4d2.exe
"C:\Users\Admin\AppData\Local\Temp\ef8401bbced442697964c5f58d4312ce9c08881a2a3f5982a643f4856591f4d2.exe"
1⤵
PID:3076

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4264 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5104 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3664 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3076-130-0x0000000000790000-0x0000000000AEC000-memory.dmp

Filesize
3.4MB

Download
memory/3076-131-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/3076-132-0x0000000000790000-0x0000000000AEC000-memory.dmp

Filesize
3.4MB

Download
memory/3076-133-0x0000000002C20000-0x0000000002C2F000-memory.dmp

Filesize
60KB

Download
memory/3076-139-0x0000000000790000-0x0000000000AEC000-memory.dmp

Filesize
3.4MB

Download
memory/3076-140-0x0000000000790000-0x0000000000AEC000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads