gozi_ifsb | 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e

General

Target

3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe
Size

361KB
MD5

71f184786153407c588600179f11a920
SHA1

8c8e733df5df5f73f176993b7e5d2e1f4aed1f8c
SHA256

3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e
SHA512

569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

apprispl.exe

pid process

2968 apprispl.exe

pid	process
2968	apprispl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\capigSup = "C:\\Users\\Admin\\AppData\\Roaming\\Azurives\\apprispl.exe"	3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2184 2968 WerFault.exe apprispl.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

apprispl.exe

pid process

2968 apprispl.exe
2968 apprispl.exe

pid	pid_target	process	target process
2184	2968	WerFault.exe	apprispl.exe

pid	process
2968	apprispl.exe
2968	apprispl.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.execmd.execmd.exeapprispl.exe

description	pid	process	target process
PID 1860 wrote to memory of 1576	1860	3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe	cmd.exe
PID 1860 wrote to memory of 1576	1860	3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe	cmd.exe
PID 1860 wrote to memory of 1576	1860	3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe	cmd.exe
PID 1576 wrote to memory of 2852	1576	cmd.exe	cmd.exe
PID 1576 wrote to memory of 2852	1576	cmd.exe	cmd.exe
PID 1576 wrote to memory of 2852	1576	cmd.exe	cmd.exe
PID 2852 wrote to memory of 2968	2852	cmd.exe	apprispl.exe
PID 2852 wrote to memory of 2968	2852	cmd.exe	apprispl.exe
PID 2852 wrote to memory of 2968	2852	cmd.exe	apprispl.exe
PID 2968 wrote to memory of 1652	2968	apprispl.exe	svchost.exe
PID 2968 wrote to memory of 1652	2968	apprispl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe
"C:\Users\Admin\AppData\Local\Temp\3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DDE6\1E1.bat" "C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
"C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 584
5⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2968 -ip 2968
1⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DDE6\1E1.bat
Filesize
112B

MD5
1e51a7558d04b3dcc9f4d16ef6f58d94

SHA1
5e842a7b795326c49d170735d50e22c1432f8a1f

SHA256
1d228832cbad21bce9bb87039863347d40068ebe74476d6dd16f7c7f044ed3e9

SHA512
133b350b80c3a976604313dfa451a726c2266fc18e7c54e386bc5bc1d34ece8a10ddc8e9d9f95f9e50dfadfae4a4627dbd0912fa04075045aa9dddfa49bb9c13

Download Submit
C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
Filesize
361KB

MD5
71f184786153407c588600179f11a920

SHA1
8c8e733df5df5f73f176993b7e5d2e1f4aed1f8c

SHA256
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e

SHA512
569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
Filesize
361KB

MD5
71f184786153407c588600179f11a920

SHA1
8c8e733df5df5f73f176993b7e5d2e1f4aed1f8c

SHA256
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e

SHA512
569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b

Download Submit
memory/1576-133-0x0000000000000000-mapping.dmp

Download
memory/1860-130-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1860-132-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/2852-135-0x0000000000000000-mapping.dmp

Download
memory/2968-136-0x0000000000000000-mapping.dmp

Download
memory/2968-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2968-141-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads