gozi_ifsb | 3c3a4a21f7816166c2339c6587c9f1690ee19419394a9fb33a6007daae83289c

General

Target

3c3a4a21f7816166c2339c6587c9f1690ee19419394a9fb33a6007daae83289c.exe
Size

155KB
MD5

3d6aa7cadb4c947f8129797ce964ae30
SHA1

7e4860b0e302938b970688c2ec3fef6cbcbb3abe
SHA256

3c3a4a21f7816166c2339c6587c9f1690ee19419394a9fb33a6007daae83289c
SHA512

26b6ec448d387983a98efe8419607c24659d3f35e709682f234609a00ad05a19eb21436d582e7964227964f765388f08f53825c75b30404871c397e7c6fd2394

Score

10^/10

gozi_ifsb 3492 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214098

Extracted

Family

gozi_ifsb

Botnet

3492

C2

google.com

gmail.com

lsammietf53.com

p28u70webster.com

ploi7260m71.com

Attributes

build
214098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{593C3367-FABB-11EC-B274-6E95B8993B04} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{26BF82A3-FABB-11EC-B274-6E95B8993B04} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000df6fe363a9703e069a8b8db8e576d982f869fa5ae8ef6a792eaca9783da8b06a000000000e80000000020000200000008dafb244960c1b3a81013f81da1121b15d34a4549c3e333e788b4875a60614b9200000005a3c50772bf0b41c0e80a5971dd79e595be197f46f71977dbb1953ebc1977066400000005fd4aea8ad562bd8c38ef94aa1136febf312526e3b6a3b4588ae55c226fcf2ee7ed073475bb910252df77e1e8f2937b32a737cfb17d9d7b9cd6f53743539239b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ca061cc88ed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007bca01c88ed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b063060fc88ed801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000036a6dffcdaa80cc63c378f65c56502bc5787583115103505c89fe20a7e49725c000000000e8000000002000020000000f6b7ce9397c459615d2d7a9f2c97208cbffc8bca4d0fe3525d1f5dd21e0841f720000000c5156dcaf2cf3c4ba11786a8d7cf0b605b24d58acc40ba7b8b1b5b08a810e7cf40000000821670d80ed8d9367f17cbcbd542a199b640163d9cc129c48535df36c29066d6a369788021944fa9a663794419b0d055a4b0b84f7c7c9f0cbc74631919a17341	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BED33B4-FABB-11EC-B274-6E95B8993B04} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000eafa80b65f0b031cd627815a35c533a40cf419814a34d03e5d1b24ba77d144e8000000000e80000000020000200000005da4f8594d719f555119e2cc449e4667227605c7d79e5c1ea8716edade87babd2000000076eab15620fb3bd7dbd30c2eb24f9fc62de000b422cabbaa637a18368276a13840000000e736d856150d1b729741e97dfec7b0d4bc5b4d89290f0e28920f3d77a1f0000959b281b25476ec196772dcca984dbdc44d3c4e1749b0ebe24ba7bf0a20645115	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

4924 iexplore.exe
4924 iexplore.exe
4624 iexplore.exe
1436 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4924	iexplore.exe
4924	iexplore.exe
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE
4924	iexplore.exe
4924	iexplore.exe
5092	IEXPLORE.EXE
5092	IEXPLORE.EXE
4624	iexplore.exe
4624	iexplore.exe
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
1436	iexplore.exe
1436	iexplore.exe
4360	IEXPLORE.EXE
4360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4924 wrote to memory of 1448	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 1448	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 1448	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 5092	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 5092	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 5092	4924	iexplore.exe	IEXPLORE.EXE
PID 4624 wrote to memory of 2976	4624	iexplore.exe	IEXPLORE.EXE
PID 4624 wrote to memory of 2976	4624	iexplore.exe	IEXPLORE.EXE
PID 4624 wrote to memory of 2976	4624	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 4360	1436	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 4360	1436	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 4360	1436	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3c3a4a21f7816166c2339c6587c9f1690ee19419394a9fb33a6007daae83289c.exe
"C:\Users\Admin\AppData\Local\Temp\3c3a4a21f7816166c2339c6587c9f1690ee19419394a9fb33a6007daae83289c.exe"
1⤵
PID:2628

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17414 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2628-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-131-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-133-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/2628-139-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads